Facebook scams now spread by dodgy browser plug-ins
Cybercrooks deploy new weapon to pollute profiles
Con men have developed a new approach towards spreading scams on Facebook.
Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim.
Once installed, these malign browser ad-ons spread the scam from one user's profile to another's profiles.
Elad Sharf, security researcher at Websense Security labs, explains: “Scam pages typically utilise social engineering tricks such as enticing you with videos or a free voucher. In this new scam you’re encouraged to install a browser plugin.
"The plugin is an integral part of how the scam is spread and has the ability to propagate by posting in your name on friends' pages. As much as these offers look tempting, if you’re asked to install plug-ins in order to get vouchers or watch a video – remember it could be a trick to spread scams, spam and malware.”
The bogus extensions come as add-ons for both Firefox and Chrome. More details of the scam, including screenshots, can be found in a blog post by Websense here. ®
What's new about this apart from the word 'facebook'? "You need this codec/app/whatever to see this shiny thing" scams have been around forever.
I don’t know if it’s fair to blame “dumb” users in this case.
The somewhat flawed windows security model has finally come home to roost, 20 years of windows indoctrination have created a culture where people expect to be able to install what ever you want whenever you want.
The increasing number of formats is also contributing to the problem, when I first started working with computers only .bat, .com and .exe file types represented executable code.
I’ve even had the unfortunate experience on my new windoze 7 laptop, I was looking at elReg page with an embedded youTube movie on it when windoze announced that I needed to install a ‘plugin’ in order view the video, then windoze reported that I didn’t have the authority to install the plugin (Hooray!!!) and then asked would I like to upgrade my level of authority so that I could (Boo!!!!!!).
People don’t go out and leave the keys to the house in the door, they lock their cars when they park then and they don’t write their PINs on the back of credit cards.
People have to start treating their computers with the same level of security that would apply in the rest of their lives.
the marks come to you
there is no need to send phishing emails with the added bonus that if they are dumb enough to be on facebook then they are probably dumb enough to click on links to see the shiny thing, increasing the hit rate.