Rogue Google Chrome Extension Helps Crooks Harvest Facebook Likes

An impersonation of the Adobe Flash Player is being used by cyber-criminals to get page likes for various campaigns in just two clicks, then sell them to other customers.

The story of a page that has gathered 40,000+ likes starts with an apparently harmless link to a page hosting videos of kittens and unicorns. The page is located on an internationalized domain – xn--47aaeaba.com – that performs the redirect to the fast[removed]e.com domain (registered yesterday – 2013-02-17 – in Turkey and whose owner asked that their contact information not be published). This page asks the victim to install a fake version of the Flash Player in order to see the video content.

Fig. 1: the fake player asks for a special plugin

Victims using Google Chrome are then taken to the plugin’s page on the Chrome store where they are asked to install an extension named Business Flash Player!, a rogue extension for the browser that can access Facebook cookies and like pages on the user’s behalf.

Fig. 2: The malicious plugin on the Chrome Web Store

The extension fetches a piece of Javascript code from a short link hard-coded into the plugin. At the moment of writing, the snippet of code looks like this (it can change at any time, depending on which “like” campaign the plugin’s creator runs):

Fig.3: Javascript snippet used to “like” a page by ID

Please note the last line of code that instructs the user’s browser to artificially “like” a Facebook page with the ID of 274169846047328. A quick look on the social networking platform reveals it is associated with Mehmet Özbilen, a fan page that managed to get 40,319 likes since its creation on February 12 with no content posted on it.

Fig. 4: Blank page with tens of thousands of “likes” ready to be purchased and customized

This type of scam is highly lucrative for its creators. With just a couple of lines of code – many of which have already been open-sourced on the web and are ready to be copied and pasted – crooks can gather significant numbers of likes from unwary Facebook users and grow a page that is ready to be sold to the highest bidder.

As the number of likes contributes to the page’s Edge Rank (a proprietary algorithm that decides which users see what is being posted on the page), shady companies and cyber-criminals alike are bidding for pages that already have a considerable number of likes.