A dangerous new scam is actively targeting many Facebook users who are desperate to recover their banned pages. This deceptive scheme is promoted primarily through various YouTube videos that misleadingly suggest a quick solution for appealing Facebook bans. These videos urge viewers to download a specific Chrome extension, claiming it will help them restore their suspended Facebook accounts. However, instead of providing any legitimate restoration assistance, the extension silently steals the user’s valuable Facebook session cookies. This theft effectively hands over complete control of the victim’s Facebook account to the sophisticated attackers behind this malicious campaign.
The scam unfolds as users, lured by YouTube videos, are directed to download the Chrome extension from Google Drive links.
This is a significant red flag because legitimate Chrome extensions are almost always distributed through the official Chrome Web Store. Once this malicious extension is installed by an unsuspecting user, it appears to be harmless on the surface. However, its underlying behavior is designed for theft, requesting extensive and dangerous permissions from the user during its installation process. These permissions include access to all Browse activity across every website, all cookies from any site, and browser tabs and storage. The extension also injects scripts into every webpage the user visits, allowing constant monitoring and interception.
The core of this malicious attack lies within the extension’s background.js file, which contains the harmful code responsible for the theft. This script silently gathers all of the user’s current Facebook session cookies from their web browser. It then transmits this collected cookie data to a remote server controlled by the attackers, often using a Telegram bot endpoint. These stolen session cookies can then be used by the cybercriminals to completely hijack the victim’s Facebook account. This method allows them to bypass even the user’s login credentials, including passwords and two-factor authentication measures, giving them full unauthorized control.
This type of Chrome extension essentially functions as sophisticated spyware, capable of tracking a user’s entire web activity.
The real-world impact is severe, allowing attackers to hijack Facebook sessions without needing passwords and bypass security like 2FA. Attackers can gain full control over the victim’s Facebook account, leading to potential identity theft or impersonation by the criminals. Stolen accounts are often used to run further scams or spread more malicious content, perpetuating the cycle of cybercrime. To protect themselves, users should never install extensions from unofficial sources like Google Drive and always carefully review requested permissions before installing any extension.
Reference:
