Facebook spammers have started using rogue browser extensions to prolong the life of their scams, researchers from Web security vendor Websense warned.
Attacks using social engineering techniques have plagued Facebook for years and despite the company’s best efforts to block them, scammers have always found alternative methods of tricking users.
In a new type of scam detected by Websense researchers, attackers are encouraging users to install rogue browser extensions in order to view certain videos or receive free vouchers.
The add-ons, which are advertised as DivX plug-ins or coupon generator, use the Facebook API (Application Programming Interface) to post unauthorized messages on behalf of Facebook users who log in from the affected browsers.
So far, Websense has detected scams that are capable of determining the user’s browser and distribute rogue extensions for Mozilla Firefox or Google Chrome.
These scams are likely to generate a smaller number of victims than those using traditional methods because browsers display security warnings when users attempt to install extensions from unverified sources.
However, once a browser has been compromised in this way, the Facebook accounts accessed through it can be used for spamming purposes for long periods of time.
Scams that use rogue Facebook apps, malicious JavaScript pasted in address bars (self-XSS) or clickjacking for propagation are usually short-lived because Facebook can take steps to block them on the server-side.
However, the company will probably have a much harder time convincing users to uninstall rogue extensions from their browsers, especially since people tend to check their Facebook accounts from multiple computers.
“As much as these offers look tempting, if you’re asked to install plugins in order to get vouchers or watch a video — remember it could be a trick to spread scams, spam and malware,” said Elad Sharf, a security researcher at Websense.