A primed browser extension works in the background every time a website is opened, almost without the user noticing. The unaware users see mysterious "likes" in their personal accounts, but where they have come from remains obscure to many at first. Experts at G Data SecurityLabs have been taking a close look at this issue and explain the sophisticated ploy using the example of the Google Chrome browser.
On primed websites the user is led to believe that he is updating his Adobe Flash Player to view a video on the website. In the case being considered, this supposed player could only be downloaded via Google Chrome, as this is the browser that the manipulators have primed this player to manipulate.
The file offered, player.exe, runs a registry entry on the PC that forces the Chrome browser to download and install a browser extension from a predefined URL. The ID of the browser extension in the case being considered is a string of characters, "gagalgomhifgcmeciklindhpaihmecgi":
The installation of the extension, which is called Adobe Flash Player, is executed in such a way after restarting the browser that the extension is invisible to the user – it does not appear in the list of extensions, which makes it hard for the victim to identify the cause of the problems when surfing. A primed Cascading Style Sheet called "custom.css" is placed in the Google Chrome folder to hide the extension. Its contents are:
The browser extension has numerous different permissions after being installed:
"unlimitedStorage", "notifications", "clipboardWrite", "notifications", "clipboardRead", "management", "tabs", "history", "cookies", "idle", "contextMenus", "storage", "webRequest", "webRequestBlocking", "contentSettings", "*://*/*"
The extension conceals the browser's real user agent and changes its data as follows: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/325.13"However, if the update connects to a specific domain (soft***.com), from where it downloads a script called "virtual.js", the original user agent is used. The script prevents a number of predefined domains being called up, which in the script are designated as "zararlidomainler". "Zararli domainler" is Turkish and means "malicious domains".Preprogrammed routines are launched depending on which website is opened in the browser. The example currently being considered distinguishes between three cases:
Instead of ask.fm, the update loads a goo.gl short link, which forwards to a type of Turkish online community called "Sorpampa".
A Facebook profile belonging to the community (called "ssorpampa" with two s's) has existed since March 19th 2013 and has more than 295,000 fans – which is an unnaturally high level of popularity for a site that has only been online for barely four weeks.
Instead of the Google website, the update loads another domain (aramamekani.com, where the Turkish expression "Arama Mekani" means something like "search place"). The website called up is a primed Google clone with numerous display advertisements, links to Facebook and Twitter etc. plus advertisements for erotic sites. The domain was registered on March 29th 2013.
As many users use Google as their browser start page, many people realize at this point that something is wrong, because they are no longer seeing their normal start page. But for the operators of the website, each page display means money, which they earn for displaying the advertising.
If this page is opened in a tab, the primed browser update injects a script (sys.js) into the Facebook page to provide predefined Facebook accounts and pages with "likes". The injected script is loaded by an external URL. The update stores these external download addresses in the cloud provided for updates by Google and can change these addresses as necessary using scripts downloaded from various domains (similar to Command and Control Servers in botnets).
The update hides the downloaded script code directly on the Facebook page so that the so-called "Same Origin Policy" is not breached and the update can generate "likes" on the Facebook page without interruption.
The image above shows a Facebook page that has no content but was able to generate over 28,000 "likes". Such levels can only occur in the configuration through manipulation and are not natural. The name of the Facebook page ("Indirimleri Takip") means "Follow the discounts" in Turkish. A look at the source of the "likes" shows a significant preponderance of clicks from users in Turkey.
This browser extension is also available in very similar forms for the Mozilla Firefox browser. With this the scripts are downloaded from different websites, but the automatic Facebook "likes" function remains the same.
The browser extension has tried to hide itself in PCs so frequently that it appears in fourth place in the G Data SecurityLabs monthly MII risk statistics for March!
Google has since blocked the extension.
The browser extension is truly versatile and makes life difficult for the victim by blocking websites and redirecting them to others.
Furthermore the generation of Facebook "likes" is irritating for users: if malicious links are posted in an account or on a website with many fans, for example, there is a high probability that a large number of the fans will click on them. Another possibility might be that the creators of the Facebook page sell it along with a large number of fans and the buyer changes it for his own purposes. The reluctant fans know nothing about this and then become advocates of content that they do not actually like.
As recommendations from friends generally appear credible, the appearance of "likes" on walls is a problem: the extension victim's friends will see the page he is supposedly recommending and will probably open it.
Because the extension is hidden using the custom.css file, it is not directly visible. However, this problem is very quickly solved so it is quite easy to remove the extension: