1190832 - Block Malicious Extension "Video Fix"

Status: RESOLVED DUPLICATE of bug 1190963

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Xevious5]

Attachment: ff (1).xpi

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36

Steps to reproduce:

Hello.

I represent a security firm that works for companies like several banks and Facebook Ltd.

There is a domain registered inside Godaddycom for a Facebook Virus that uses a Firefox and Chrome Extension for install as you can see it here in this Phishing address example:

http://orti1.com/ff <- This is a phishing website for install Firefox malicious extension (you need to open using Firefox)

This malicious extension uses Facebook profiles and hijacks Facebook Token (same as user password) to widespread inside users wall without his permission.

Malicious Extension ID: hha8771ui3-Fo9j9h7aH98jsdfa8sda@jetpack.xpi

Inside the malicious extension, there are several calls to the address "inslike.info" as you can see in the example:

https://www.inslike.info/core/link.php


Inside the address http://inslike.info/k.js you can see several calls to domain, based in deliver hijacked user data and such as post routine to Facebook walls.


Shut those address down, those cybercriminals are already being investigated by local security agencies and they reside inside Turkey.

Any questions please feel free to reply to my email.

Thank you