The adware attack campaign that was spreading through Facebook Messenger late last month was enabled by the use of fake Chrome extensions and also stole victims’ Facebook access tokens.
The campaign began spreading in the last couple of weeks of August through the use of Messenger messages that included the recipient’s name and a shortened link. The message looks like a legitimate one and it comes from a contact in the recipient’s list.
“Clicking on the link will redirect the user to a URL on docs.google.com. This link is made by using the preview link of a shared PDF, most likely because it is the quickest way to get a large controlled content area on a legit Google domain with an external link,” David Jacoby of Kaspersky Lab and Frans Rosen of Detectify wrote in a post analyzing the campaign.
“After the Google Docs link is clicked, the user will go through a bunch of redirects, most likely fingerprinting the browser.”
Eventually, the victim will land on a fake YouTube page with a video that asks the victim to install a Chrome extension. The attackers used four different extensions, and all of the code for them was stolen from legitimate extension. The extensions use several obfuscated scripts and one of the things the scripts do is create an access token for the victim’s Facebook account using an old API that Facebook has deprecated. The attackers discovered that they could still create the access tokens using an old app. They then used that token to infiltrate the victim’s account.
“Since the attackers now had an FQL-enabled access token, they could use the deprecated API to fetch the victim’s friends sorted by date of their online presence, getting the friends that were online at the time. They randomized these friends picking 50 of them each time the attack would run only if the friends were marked as idle or online,” the researchers said.
“A link was then generated by a third domain, which only received the profile ID of the user. This site most likely created the PDF on Google Docs with the profile picture of the current victim and passed the public link back through a URL shortener. After the link was fetched, a message was created randomly for each friend, but the link was reused among them.”
Google has disabled all of the fake chrome extensions, Jacoby and Rosen said.