April 29, 2016
The malicious plug-in for Google Chrome is detected as Trojan.BPlug.1074. If the plug-in affects the browser, it determines the identifier of the user (UID) when they log on to Facebook and modifies the appearance of the website by removing the Privacy Shortcuts menu located at the upper-right side of the Facebook window, together with other drop-down menus of the social network’s interface. Then the Trojan obtains the user’s friend list.
After that, Trojan.BPlug.1074 creates a new group named randomly. Using the group ID, the victim’s profile photo and the address of the webpage retrieved from a configuration file, the Trojan generates a “share a link” post and publishes it on the wall in specified intervals. What is more, the Trojan adds all the victim’s friends on Facebook to the post so this message is published on their walls too.
If the user follows the specified link, they are redirected to some webpage whose appearance is identical to the Facebook web design. Yet, if another website was used to follow this link, the user is redirected to a blank webpage.
The webpage is named “Hello please watch my video” and contains an allegedly standard video player. If the victim uses Chrome, they are prompted to download and install a browser plug-in that is, in fact, another copy of Trojan.BPlug.1074.
Trojan.BPlug.1074 can use this method to spread other plug-ins for Google Chrome.
Doctor Web security researchers registered more than 12,000 cases involving the Trojan.BPlug.1074 malicious plug-in being installed by Facebook users as of April 28, 2016. Dr.Web Anti-virus successfully detects and removes this Trojan. Yet, our specialists recommend you to pay careful attention when installing extensions for the browser even if they are offered by such a popular website as Facebook.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments