- Oct 23, 2012
- 12,527
Trojan.BPlug.1074 is the name of a recently discovered trojan that hides in Chrome extensions and will spam your Facebook friends with links to malicious websites.
BPlug was first seen a week ago, as part of a Google Chrome extension's JavaScript files. Once users install the Chrome extension in their browser, it would wait for the victim to visit Facebook.
Here, the trojan would retrieve the user's UID (user identifier) and their CSRF token. These details are then used to perform actions on Facebook on the user's behalf.
BPlug spams your friends via user groups and Facebook mentions
BPlug will hide some of the user's top-right menu options, preventing them from accessing the logout menu, but it will also create a randomly named group in the user's name.
BPlug was first seen a week ago, as part of a Google Chrome extension's JavaScript files. Once users install the Chrome extension in their browser, it would wait for the victim to visit Facebook.
Here, the trojan would retrieve the user's UID (user identifier) and their CSRF token. These details are then used to perform actions on Facebook on the user's behalf.
BPlug spams your friends via user groups and Facebook mentions
BPlug will hide some of the user's top-right menu options, preventing them from accessing the logout menu, but it will also create a randomly named group in the user's name.
In this group, the trojan will then share a link at various intervals and start mentioning random friend names from your contact list.
These friends will receive a notification, and in most cases, they will investigate the group post, sometimes clicking the link, if not recognizing it as a spam message.
Spam leads users to a Facebook clone
This link takes the users to a Facebook lookalike website that makes it seem like someone has shared a YouTube video with their friends. Clicking to view this video prompts the user to download a plugin. In the case of Google Chrome browsers, Dr.Web security researchers claim it is another Google Chrome plugin containing the same BPlug trojan, but also other malware.
A particularity of this link is that it only shows the fake YouTube video if the user is clicking it from inside the Facebook group. Accessing it directly or from another website shows a blank page.
Dr.Web researchers said that they detected over 12,000 users who installed this malicious plugin in their Chrome browser. Softpedia has reached out to Dr.Web in order for the company to disclose the extension's name so that users can avoid installing it in their browsers.