E-Threats Social Networks

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan

Facebook users worldwide may be exposed to the Carfekab Trojan spreading in a new virulent campaign on the social network. The ‘Profile Viewers’ add-on entices users with the promise of seeing their stalkers on Facebook. Over 2,400 .tk domains have already been registered for malicious purposes.

The browser extension fraudulently gathers ‘likes’ and spreads from one timeline to another. The downloaded “.exe” installs a malicious file, detected by antivirus software Bitdefender as Trojan.JS.Carfekab.A. The malware is capable of posting messages on users’ behalf and sending their personal data to the attackers’ servers. The Trojan may also be used for browser spying.

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan

The infection propagates through Facebook messages in which victims share a random number of times their profile has been viewed. They also unwittingly tag their friends.

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan

Top Visitors is then followed by a malicious link that leads to a browser add-on titled “Profile Viewers” or “Who Views.”

“Ever wanted to know who is viewing your profile or who has viewed it while you were offline?,” the website of the fake app reads. “Now you can! Just click the ‘Start Now’ button below to find out.”

The code allows cyber-criminals to spread several variations of the scam. The number of profile visitors could never be “0.”

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan ’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan

Malware writers gain immediate access to victims’ contact lists after they click on the dangerous web site. By showing that the victim’s friends liked the app and tagging them, cyber-crooks increase both the scam’s credibility and its spreading rate on Facebook.

They also seem to hijack the number of likes of the social network’s official Facebook page. As far as it gets new likes, the malicious page also claims to have gathered the same number of likes. So far, over 111 million users clicked the ‘like’ button on Facebook’s product and service page, and scammers pretend the same number likes theirs.

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan Carfekab cyber-crooks also make money through fraudulent surveys. By asking users to take a quiz after multiple redirects, they earn ad revenues.

’Profile Viewer’ Add-on Infects Facebook Users with Carfekab Trojan If users have installed ad blocking software, malware writers post a warning message to “help” them disable the ad-block. 

Bitdefender experts have been studying malicious browser add-ons for several years. One study published in 2012 in the Virus Bulletin showed malware developers continuously exploit the general belief that add-ons are benign. By developing cross-platform malicious extensions, attackers can gain access to users’ sensitive information.

In May 2013, Microsoft warned about the Febipos Trojan, which was hijacking Facebook accounts by luring users with messages such as “15 year-old victim of bullying commits suicide after showing her breasts on Facebook”, “R$1000-voucher contest” or “a brand new Celta paying R$13 per day!” Febipos was able to ‘like’ a page, join a group, invite friends to a group and even chat with them.

About the author


Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story. She's the industry news guru, who'll always keep a close eye on the AV movers and shakers and report their deeds from a fresh new perspective. Proud mother of one, she covers parental control topics, with a view to valiantly cutting a safe path for children through the Internet thicket. She likes to let words and facts speak for themselves.