Facebook Timeline Remover: Works, but Malicious –90,000+ Chrome users may get their browser hijacked

Themen: ,
Druckfreundlich, PDF & E-Mail

By Jason Ding – Research Scientist

In the beginning of this year, Facebook started rolling out a more interactive and dynamic UI called “Timeline” to all its users. But, not every user on Facebook was happy about this upgrade. In typical fashion the scammers took notice, promising to remove the Timeline style and revert it back to the traditional view if a user installs some “helpful” apps or browser plugins (normally named “Facebook Timeline Remover” or something similar).

Fortunately at the end of May, the security community quickly identified this innovative scam and warned general Facebook users that these fake apps or plugins are malicious and users should not install them.

So the problem seemed to be solved. But, is it true?

At Barracuda Labs, we constantly monitor the security and threat trends around social networking platforms in order to better protect our 150,000 customers. We revisited this Timeline Remover scam recently and were surprised by how much activity is still out there.

First, there are at least 6 Chrome plugins in the Google Chrome Web store, and the total number of users is around 764,000. Details of these Chrome plugins are below.

Potential “good” ones:

URL https://chrome.google.com/webstore/detail/dnedfaenfnkikficknkklbdedlecmpgc
Details Name: TimelineRemoveWebsite: http://www.timelineremove.com/
Permission Access data on *.facebook.com, Read/Modify Bookmarks, Access tabs and browsing activity
Stats Aug 24th: 567,271 users, 1.4K Google+, 350 reviewers, 4.31/5 starsAug 27th: 603,615 users; Aug 29th: 612,183 users


URL https://chrome.google.com/webstore/detail/nkcokgbocjdimlmboepiomecihakbinp
Details Name: Facebook Timeline Remover & Disabler – RemoveWebsite: http://layouts-skins.com/facebook-layouts/fb-timeline/fb-timeline-remover-disabler-how-to-remove-fb-timeline/
Permission Access data on *.facebook.com, Access tabs and browsing activity
Stats Aug 24th: 40,701 users, 61 Google+, 27 reviewers, 3.56/5 startsAug 27th: 40,300 users; Aug 29th: 40,261 users


URL https://chrome.google.com/webstore/detail/aoapcfbfcfdggenjdfmlaienknnbijbj
Details Name: Facebook Timeline Remover & Disabler – RemoveWebsite: http://layouts-skins.net/facebook-layouts/fb-timeline/fb-timeline-remover-disabler-how-to-remove-fb-timeline/
Permission Access data on *.facebook.com, Access tabs and browsing activity
Stats Aug 24th: 21,612 users, 157 Google+, 42 reviewers, 3.6/5 stars,Aug 27th: 21,376 users; Aug 29th: 21,430 users


Bad ones:

URL https://chrome.google.com/webstore/detail/efegkamagjpaioecemiekbhdgehlnaoe
Details Name: Disable Timeline on FacebookWebsite: http://www.removeyourtimeline.com/
Permission Access data on all websites, Access tabs and browsing activity
Stats Aug 24th: 25,195 users, 154 Google+, 38 reviewers, 4.58/5 starsAug 27th: 39,048 users; Aug 29th: 40,340 users
Version Version:; Updated: Sunday, August 19, 2012


URL https://chrome.google.com/webstore/detail/mofmhhfpjbhkgfdbcgbadlcpnlfhebch
Details Name: Remove Facebook TimelineWebsite: http://removetimeline.s3-website-us-east-1.amazonaws.com
Permission Access data on all websites, Access tabs and browsing activity
Stats Aug 24th: 6,909 users, 0 Google+, 0 reviewersAug 27th: 10,295 users, 2 Google+; Aug 29th, 10,431 users
Version Version: 1.0.6; Updated: Thursday, August 23, 2012


URL https://chrome.google.com/webstore/detail/anmjpohfnlopdfaojooicpemopnliimn
Details Name: Remove Facebook TimelineWebsite: http://timelineremoval.s3-website-us-east-1.amazonaws.com
Permission Access data on all websites, Access tabs and browsing activity
Stats Aug 24th: 0 users, 3 Google+Aug 27th: 29,875 users, 7 Google+; Aug 29th: 39,413 users
Version Version: 1.0.2; Updated: Thursday, August 23, 2012

Note: Stats are collected from Chrome Web stores.

The first three plugins only access your data to *.facebook.com (which they should do so in order to present the traditionalFacebook UI), and seem to be “good” plugins .

However, the permissions of the later three do not make sense: they require access to your data on all websites, as seen in the above tables and in Figure 1. Additionally, the last two chrome extensions have supporting websites from the Amazon Simple Storage Service (Amazon S3), which will hide information of these plugin authors. This is suspicious.


Figure 1: Plugin for Timeline Remover requires data access on all websites

We took a deep look, checking whether these 6 plugins worked, and what the potential damages were, if any. Fortunately, the first 3 plugins work well and do remove the Timeline after the user logins to Facebook. There is no suspicious activity.

However, the last 2 plugins have displayed a classic social engineering trick after installation: affiliate campaign survey to receive a free gift card, as shown in Figure 2.



Figure 2, Affiliate campaign survey after plugin installation

Meanwhile, the scammers behind the bad plugins are really good at social marketing. They create social events on Facebook to recruit users, and used shortened URLs to avoid detections (even transmitted from Google translation page). As show in Figure 3, there are 2000+ people invited, and nearly one hundred are attending.



Figure 3:  A Facebook event to 2000+ friends for Timeline Removal

The story is not over yet. The scammers also created a few extra Tumblr and TinyURL pages to automatically redirect new readers to theinstallation websites. Once a new user installs one of these malicious plugins, a sharing post or an event is auto-generated on his/her Facebook page to advertise the installed Chrome plugin. Figure 4 shows examples of posts spreading these plugins on Tumblr pages and Figure 5 shows the codes inside these chrome plugins to automatically generate new shortened TinyURLs.


Figure 4: Posts to spread the Tumblr pages for Timeline Removal  


Figure 5: Code to generate new random shortened TinyURLs after plugin installation

If one way is cutting down (Google browser has currently blocked one of the AWS S3 URL), there are always backup routes. No one knows and uses social media better than these Chrome plugin hackers.

These approaches work extremely well to trick users: one of the Chrome plugins (version 1.0.6) had about 7,000 users on August 24, but had 10,295 users on August 27; the last one attracted more than 39,000 users in just 5 days. The total number of users of these “access-data-on-all-websites” plugins has reached to 90,184 as of yesterday (August 29). In other words, the 90,184 installers, or potential victims, allowed these malicious third-party plugins to hijack their personal Web data when they surf the Internet with Chrome!

Fortunately, we did not see any other suspicious activity from the last 3 bad Chrome plugins (e.g., steal your credentials during browsing other websites). But, this does not mean they cannot and will not do that in the future. It is totally their call now.

In conclusion, we would like to warn all Facebook users to not try any Facebook Timeline Remover apps or plugins. Even if you are experienced and can distinguish a good plugin or app from a bad one, allowing a third party to access your Facebook information or other data and privacy is always a big risk.

And especially, our suggestions to these 90,184 Chromeusers: uninstall these “malicious” Timeline Remover plugins, change your Facebook passwords immediately, and delete the sharing posts of these plugins.

Nach oben scrollen