Closed Bug 847018 Opened 11 years ago Closed 11 years ago

Blocklist a fake Flash extension that is in fact a malware

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: underpass_bugzilla, Unassigned)

Details

(Whiteboard: [extension])

Attachments

(1 file)

Rename .ZIP to .XPI to install
152.70 KB, application/octet-stream
Details 
User Agent: Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Build ID: 20130227063501

Steps to reproduce:

One of my Facebook contacts tagged me in a post leading to this website

http://www.xn--47aaeabb.net/

redirecting to

http://www.sosyalaghileleri.com/firefox.php

It used have a fake Flash video and a notation saying that the Flashplayer installed on the system is obsolete and should be updated. It also provides the link to a fake extension. If you install it, your Facebook account becomes compromised and starts to spread the same link tagging other contacts, harvesting them from the list of your Facebook friends and thus propagating the "infection".
I also have a copy of the fake extension (downloaded but not installed) and I can upload it if necessary.

The website should be marked as dangerous. The extension should be blocklisted as soon as possible. This malware is increasingly spreading on Facebook in the last few days.

Thanks
The first link redirects me to chrome.php, and nothing on chrome.php or firefox.php seems to work. Can you upload the extension that you mentioned?
Hello, sorry for my late answer. Probably the DNS you are using somehow block the page since I'm perfectly seeing the fake extension download link.
Anyway, I'm uploading it. Thanks.

    
    

    
  
Well, the add-on linked definitely appears to be malicious. It's name and description are "Adobe Flash Player", and all it does is inject a remote script into every page. The URL for the script doesn't actually work, though.

ID: jid0-Y6TVIzs0r7r4xkOogmJPNAGFGBw@jetpack

    
    

    
  
This is also on AMO (not masquerading as Flash): https://addons.mozilla.org/addon/sosyal-medya/

    
    

    
  
Probably they plan to redirect somewhere else

    
  
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [extension]

    
    

    
  
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i322
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to Jorge Villalobos [:jorgev] from comment #7)
> Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i322
Typo in "pretending to the the Flash Player plugin."

    
    

    
  
(In reply to Scoobidiver from comment #8)
> (In reply to Jorge Villalobos [:jorgev] from comment #7)
> > Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i322
> Typo in "pretending to the the Flash Player plugin."

Fixed, thanks.
Product: addons.mozilla.org → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: