A piece of malicious software masquerading as a Facebook video is hijacking users’ Facebook accounts and Web browsers, according to independent Italian security researchers who have been investigating the situation.
The malware appears as a link in an e-mail or Facebook message telling people that they have been tagged in a Facebook post. When users go to Facebook and click the link, they are sent to a separate Web site and prompted to download a browser extension or plug-in to watch a video, said one of the researchers, Carlo De Micheli, in a telephone interview on Monday.
Once that plug-in is downloaded, the attackers can access everything stored in the browser, including accounts with saved passwords. Many people commonly save e-mail, Facebook and Twitter login data in their browsers, so the attackers can masquerade as the victim and tap those accounts.
Mr. De Micheli said the malicious software has been spreading at a rate of about 40,000 attacks an hour and has so far affected more than 800,000 people using Google’s popular Chrome browser. It is replicating itself primarily by hijacking victims’ Facebook accounts and reaching out to their friends on the social network. A user hit by the malicious software cannot easily remove it, since it blocks access to the browser settings that allow it to be removed and also blocks access to many sites that offer virus removal software.
A spokeswoman for Google, which makes the Chrome browser, said the company was aware of the attack and has already disabled the browser extensions that allowed it.
“When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances,” said the spokeswoman, Veronica Navarrete, in a statement. “We’ve already removed several of these extensions, and are continuing to improve our automated systems to help detect them even faster.”
Facebook said that its security systems had also detected the attack and it was working to clear the malicious links.
“In the meantime, we have been blocking people from clicking through the links and have reported the bad browser extensions to the appropriate parties,” Michael Kirkland, a Facebook spokesman, said in a statement. “We believe only a small percentage of our users were affected by this issue, and we are currently working with them to ensure that they’ve removed the bad browser extension.”
However, Mr. De Micheli said the attackers, who appear to be of Turkish origin based on comments embedded in the software, were adapting the malicious code and had already found a way to target users of Firefox, another popular browser.
This is not the first instance of an attack through a browser extension, which is a bit of software that allows a Web browser to perform specific functions, much like an app does for a smartphone. But this attack appears to be one of the most extensive to use the technology.
“A few years ago, you’d tell your friends, don’t click on attachments,” Mr. De Micheli said. Now, the same advice applies to browser add-ons, he said.
Mr. De Micheli said that browser makers should do a better job of warning users that installing a plug-in, like installing a smartphone app, can give the software access to a wide variety of personal information. “People are used to clicking ‘accept,’” he said.
Mr. De Micheli is an independent security researcher who, along with several other Italian colleagues, has done extensive work tracking unseemly activity on social networks, including the underground market in fake Twitter followers. In the case of the malicious browser extensions, he is working with Andrea Stroppa, Danny di Stefano and Matt Hofman.
Justin O’Kelly, a spokesman for Mozilla, said that users should make sure that they are only installing legitimate software from well-known Web sites that they trust. “Users should be wary of scams or suspicious messages asking them to install software from an unknown site,” he said in a statement.