Facebook accounts hijacked by malicious Chrome Extension

Google chrome extensions continue to be among the topics covered by TrenMicro, Another malicious application have been reported over this week that is targeting facebook users. cybercriminals are using the social network to share a malicious link claim to be a YouTube video for a drunk girl.

The shared video will not be directly displayed but user needs to install a browser extension which will run the malware and hijack facebook accounts to makes the fake extension circulating further. the extension is registered on a virtual private server and infected users are located in  Brazil , UK, the US, and Argentina.

Drunk girlscreenshot for the malicious link spotted by TrendMicro

Google have restricted the possibility to use extensions to make them available  only from Chrome store but it is still possible to add extensions that are hosted on private server and obviously may contain malwares. TrendMicro have reported the infected files to Google so they take actions and remove them. To secure your system be sure to never open links from non trusted sources and if you are going to install any extension make sure to scan it with your security software that will identify any risk possess installing the program.


“M & M Kitchen Appliances – INV211457″ Malicious Spam that spread Zbot

Malwarebytes recently reported a new spamming campaign. the malicious email is using an invoice template for Kitchen Appliance company. Today most users relay on online payment for purchasing any product including kitchen appliances this makes similar spams to be a good trick to promote viruses. On this case attackers pretend to attach an invoice and invite victim to open the attachment. obviously cybercriminals are attaching a zipped file that install ZeuS banking trojan.
ZeuS is a famous malware that after execution will turn the system part from a botnet and will send attackers sensitive information including bank account credential, logging the keystroke and grabbing user passwords. uploading the malicious file to  VT shows 29 antiviruses that identify it to be a malware.

kitchens1Screenshot for the spam sourced Malwaebyte

If you have received a similar email make sure to ignore and delete the spam, you can also move it to the Junk folder so your security program add this email to the black-list.


Responder- MITM and Network Spoofing Tool

Responder is a tool from SpiderLabs that can be used during a pentest for spoofing and network man-in-the-middle attacks. Initially the utility comes to spoof special network protocols for resolving hostnames such as NBNS which is similar to DNS service. Now responder can be used against many advanced protocols including DNS , ICMP redirect ,SMB Relay and more.

Beside spoofing Responder may include fake services that emulate protocols and listen on ports to have all user activity. Emulated services include HTTP, SMB, MS SQL, FTP , LDAP, SMTP, POP3.  This obviously will help in getting passwords in plain text and the authentication credential for NTLM service.

All type of authentication are supported in this tool to make it a good match for the MITM attack it is based on python and have several scripts that can be used to target any service. you can customize the settings according to your need.

responderscreenshot for responder options

You can find the tool description and usage from this link: https://github.com/SpiderLabs/Responder


“Facebook Secrets” Malicious Chrome Extension

Google have made many security measures to increase the security of chrome extensions. This by adding patches to fix critical security vulnerabilities and enforcing a policy to allow users install extensions only from Chrome Web Store.  TrendMicro security researchers uncovered another malicious attack that are targeting chrome users.

The attack starts by sharing a shortened link that is posted on Twitter and claim to lead to Facebook Secrets”. The link obviously have no secrets but it leads to an exe file that will execute the malware on victim machine. the executable file will bypass all security measures implemented by Google and create a folder in the extension directory with name for the malicious plugin and a script to be loaded when the victim connect to a URL.

FB-secret-1Tweets sharing the fake extension sourced TrendMicro

Each time victim will open chrome browser and navigate to Facebook/Twitter the extension will open a Turkish page that will provide cybercriminal income with click fraud. Using social media for promoting malwares is always on the rise this helps cybercriminal post the malicious links and have more exposure to what they want to share.

To protect your systems be sure to never click or follow shortened links from unknown sources, you can use longurl service to have the real URL and it will be important to install browser extensions only from the official store to avoid fake plugins.


Pinpoint- Tool to find malicious objects

Many online website host malwares or link to a malicious file without their knowledge. Normally this may takes some time to find out the compromised files. Pinpoint is a tool that you can use to scan and identify the infected files. The tool will list all external javascripts, javascript redirects or any iFrame on the targeted website.

Pinpoint have the following options:

  • Disable Compression – sends the HTTP request without the encoding option
  • Enable Entropy – performs the entropy check
  • Ignore Safe Sites – ignores common sites that host frameworks, ads, and other legitimate content so it doesn’t get downloaded
  • Ignore CSS – ignores external CSS files so that it doesn’t get downloaded


This tool will be useful especially if you are using external plugins that may contain a risk to visitors. you can download pinpoint over this link: http://www.kahusecurity.com/tools/


Netflix phishing page hosted to steal credit card details

Netflix is a cloud service that is widely used for watching movies online. over this week a new phishing compaign have been spotted by Malwarebytes that is targeting Netflix customer to grab sensitive information of subscribers. The phishing page is asking user to insert credit card credential as a way to verify user information. obviously all sensitive information are going to be sent to the cyber-criminal who controls the spoofed webpage.

The fake page URL is long so if browser will display only the first part of the link he will find it quite authentic http://netflix.co.uk.account.validation…

Netflix3-965x395Netflix fake page sourced Malwarebytes

While many web browser include anti-phishing technology and this will block similar pages but it is always important to verify links before submitting any sensitive information and be sure that you have the https enabled to encrypt your connection with the website. The phishing domain is registered with “Crazy Domains  FZ-LLC” registrar and at the moment the hostage removed this fake page.


New Release – OCLHashcat 1.30

Over this week a new release have been announced for OCLHashcat. this tool is widely used for penetration testing and password recovery. the new version is OCLHashcat 1.30 has an improvement in the performance with additional  algorithms. New algorithms are:

  • md5($salt.md5($pass))
  • Mediawiki B type
  • Kerberos 5 AS-REQ Pre-Auth etype 23
  • Android FDE
  • scrypt
  • Password Safe v2
  • Lotus Notes/Domino 8

oclhashcatThere is also support for Skype and PeopleSoft password recovery where testing should be made with access to the system. you can download the tool directly on the official website http://hashcat.net/oclhashcat/