Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).
Figure 2. Iframe is used to redirect the user to the landing page, briefly displaying this page
If a user clicks on the Facebook link, they are redirected to a Facebook page. This page contains an iframe (Figure 2) that goes through a series of redirects and ultimately lands on a page promoting Facebook Black (Figure 3).
Some of the sites we have observed leading to the Facebook Black landing page include:
Figure 3. Facebook Black Page
Users are then enticed to install a Google Chrome extension (Figure 4).
Figure 4. Fake Chrome extension for Facebook Black
Figure 5. Extension downloads more files
Figure 6. User account contains a new page
Figure 7. Newly created Facebook page contains iframe redirect (Welcome tab)
Ultimately, users that install this Facebook extension will be presented with a set of survey scams (Figure 8), which is how the scammers monetize these types of campaigns.
Figure 8. Survey scam pushed after extension is installed
Symantec customers are protected against this attack by our Web Attack: Fake Facebook Application 3 IPS signature and we detect the fake Chrome extension as Trojan Horse.
Google has already removed several of these Chrome extensions and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.