Malicious Chrome Extension Spread through PDFs containing ‘Nude Celebrity’

Tomsguide.com posted on December 13th, 2016, stating that researchers from Cyren, Firm of Internet Security, based in the McLean, Virginia, identified a Chrome Extension that was malicious. This chrome extension was spreading PDFs that are malicious on the Facebook, promising content related to nude celebrity.

Victims were enticed to click a file, i.e. PDF, on the Facebook with a promise to show nude content of celebrity. According to blog post of Cyren, users goes through a chain of redirects on clicking the Chrome browser, which eventually shows a popup that was asking to install the chrome extension.

Once installed, this malicious extension will be able to read as well as collect personal data of users' on Facebook, and also gain permissions like "posting on their behalf." After this, the process was repeated by the malware by posting the "nude PDF" files on the Facebook timeline, groups, and also sending them to private messages of their friends on Facebook.

When malicious link was clicked by the user in a browser apart from chrome, then it redirects them to many new web pages consisting nude content and adverts.

Here the takeaway is always same: Never click on the poorly written scams of Facebook promising pornographic videos. First indication of illegitimate message (or 2nd or 3rd, depending how much dismissive the users are about poor grammar and certainly also fake nude pictures of celebrity) should be attached file. The attached file is PDF, although MP4 was included in description only for misleading the people. Obviously, PDFs are never video files.

Malware also got installed in the device of user's throughout this process. Aggressive messages of spam were created by this malware, thus driving them crazy! Chrome extension, in addition, includes antispam and antivirus domain names list that was actively blocked by the software, so it might even got missed by the antivirus software.

Once infected, getting rid of this malware from the device becomes very difficult. Victims are required to delete extension in the Google Chrome, along with deleting software from registry key.

The registry can be cleaned little bit by the following process: In Registry Editor (type "regedit" into command line on Windows), find HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extension, then remove all suspicious files. (Go ahead and remove everything; you can always install again your genuine extensions later.) Then, visit the C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions, and delete all the illegal extension immediately.

» SPAMfighter News - 12/16/2016