Malware disguised as a Facebook video has infected up to 800,000 users’ machines, according to independent Italian security researchers. The malware hijacks web browsers to harvest passwords, using a fake browser plug-in for Google’s Chrome.
Speaking to the New York Times’ Bits blog, researcher Carlo de Micheli says that the malware spreads in links, emails or Facebook messages which tell users they have been “tagged” on the site. When users click the link, they are prompted to download a browser extension, Micheli says.
The extension is malicious – and can send any information stored in the browser to the attackers. Many web users store information such as passwords, Facebook and Twitter log-ins, and that information is instantly available to the attackers.
De Micheli says that the malware is spreading at a rate of 40,000 attacks per hour, and has infected 800,000 users. De Micheli claims that the attackers have now released a version targeting Firefox users.
“A few years ago, you’d tell your friends, don’t click on attachments,” Mr. De Micheli said in a phone interview. “Now, the same advice applies to browser add-ons.”
The tactic of disguising malware as browser add-ons is not new. ESET reported this week on a popular browser add-on, Orbit Downloader, which contained hidden remotely-updating DDoS functions.
“When we detect items containing malware or learn of them through reports, we remove them. In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” a Facebook spokesman said in a statement. “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”
Author Rob Waugh, We Live Security