Facebook users worldwide may be exposed to the Carfekab Trojan spreading in a new virulent campaign on the social network. The ‘Profile Viewers’ add-on entices users with the promise of seeing their stalkers on Facebook. Over 2,400 .tk domains have already been registered for malicious purposes.
The browser extension fraudulently gathers ‘likes’ and spreads from one timeline to another. The downloaded â€œ.exeâ€ installs a malicious file, detected by antivirus software Bitdefender as Trojan.JS.Carfekab.A. The malware is capable of posting messages on usersâ€™ behalf and sending their personal data to the attackersâ€™ servers. The Trojan may also be used for browser spying.
TheÂ infection propagates through Facebook messages in which victims share a random number of times their profile has been viewed. They also unwittingly tag their friends.
Top Visitors is then followed by a malicious link that leads to a browser add-on titled â€œProfile Viewersâ€ or â€œWho Views.â€
â€œEver wanted to know who is viewing your profile or who has viewed it while you were offline?,â€ the website of the fake app reads. â€œNow you can! Just click the ‘Start Now’ button below to find out.â€
The code allows cyber-criminals to spread several variations of the scam. The number of profile visitors could never be â€œ0.â€
Malware writers gain immediate access to victimsâ€™ contact lists after they click on the dangerous web site. By showing that the victimâ€™s friends liked the app and tagging them, cyber-crooks increase both the scamâ€™s credibility and its spreading rate on Facebook.
They also seem to hijack the number of likes of the social networkâ€™s official Facebook page. As far as it gets new likes, the malicious page also claims to have gathered the same number of likes. So far, over 111 million users clicked the â€˜likeâ€™ button on Facebookâ€™s product and service page, and scammers pretend the same number likes theirs.
Bitdefender experts have been studying malicious browser add-ons for several years. One study published in 2012 in the Virus Bulletin showed malware developers continuously exploit the general belief that add-ons are benign. By developing cross-platform malicious extensions, attackers can gain access to users’ sensitive information.
In May 2013, Microsoft warned about the Febipos Trojan, which was hijacking Facebook accounts by luring users with messages such as â€œ15 year-old victim of bullying commits suicide after showing her breasts on Facebookâ€, â€œR$1000-voucher contestâ€ or â€œa brand new Celta paying R$13 per day!â€ Febipos was able to ‘like’ a page, join a group, invite friends to a group and even chat with them.