Chrome is one of the most popular browsers today, so it’s not surprising to see it being used by cybercriminals for their enrichment. And, even though Chrome is considered to be very safe, you’re still not completely protected against various kinds of malware, because, ironically, its web store offers a lot of apps that can potentially do harm to your PC.
Cyren, a company which specializes in Internet security, found an extension for Chrome that distributes PDFs containing nude celebrities. Or so it says. Those kinds of messages are especially popular on Facebook. You probably even received them from time to time. And, unfortunately, those PDFs are not something that can be looked at and deleted (or kept). They’re actually part of the campaign which has malware distribution as its main goal.
When you click on the file, a new tab opens. It contains what seems like a video and a “Play” button. If you use Firefox, Safari or Internet Explorer, you’re treated to several new pages at once after you press “Play”. They display advertisements and various types of adult content.
And if you use Chrome, you’re taken to a page that looks exactly like YouTube. If you try to play the video, you get prompted to install a new browser extension. And if you let this extension be installed, you’re opening the way for your personal information on Facebook to be collected. And you also let it post on your behalf.
That’s basically it – you lose control of your Facebook page and it starts posting supposed nude PDFs on various groups and timeline. PDFs are also sent to all of your friends and if they click on them, they’re going to suffer the same fate as you did. It’s not concrete proof at the moment, but people behind this campaign may be using the massive leakage of nude celebrity pictures that happened in 2014 as its central point. You also need to be aware that this extension is designed in such a way that it goes unnoticed by your antivirus program. Not only that, but it disables dev tools tabs, so removing it can be quite difficult.
Google doesn’t offer this extension at their web store anymore, but if you installed it and now suffer the consequences, you need to delete a certain Registry key from the Registry editor. The path to the Registry editor is this – HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extension, and the path to the extension folder is the following – C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions.
Make sure to keep away from those kinds of messages in the future. They very rarely give you what they promise and bring far more problems than good.