Scammers spreading celebrity nude PDFs on Facebook, pushing malware installation

Google Chrome is one of the most used Internet browsers but lately, it is being used by cybercriminals and scammers to infect users with adware, malware and other malicious programs due to the low level of scrutiny on its web store.

Recently, an Internet security firm Cyren discovered a malicious Chrome extension spreading nude celebrity PDFs all over the Internet including on Facebook. You might be thinking what’s the big deal about spreading PDFs? Well, that’s just a beginning of an irritating adware and malware campaign.

Also Read: Pakistani Hacker Gets $5000 for Reporting Flaws in Chrome and FireFox

PDF file that is being spread by scammers.

Upon clicking on the PDF file a new tab opens which looks like a video with a play button on it. Upon clicking the play button, those on FireFox, Internet Explorer or Safari browsers are redirected to several new web pages containing adverts and nude content.

Scammers using playing button to trick users into opening malicious sites.

Meanwhile, those on Chrome browser are redirected to a fake YouTube site. The victim is again asked to click on a play button and doing so opens a pop up that further asks to install Google Chrome extension. Once the extension is installed it can read and collect all personal data of a Facebook user including permission such as “posting on their behalf.”

The extension then posts “nude PDF” files on Facebook groups, timeline and also sends them to their friends’ private messages. It looks like the scammers behind this whole campaign are taking advantage of nude celebrity photos that were leaked back in 2014.

Also Read: Chrome App for Android To Alert Users on Visiting Malicious Sites

The security researchers at Cyren noted that this Chrome extension is specially developed to block antivirus software from detecting and deleting it. It also blocks users from opening dev tools tabs making it almost impossible for victims to get rid of it. However, good news is that Google has already deleted the extension but if you have mistakenly installed this extension you will have to delete the Registry key from the Registry Editor. Thanks to Cyren researchers who pointed out exactly what the key is:

This is the path to the Registry Editor:


This is the path to the extension folder:

C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions

Previously, Chrome browser was used for a similar campaign when “Facebook comment tagging malware” made its way to users browsers through a Chrome extension. So watch out and avoid installed unverified extensions and applications.

Related Posts