Following previous post, we have found some malicious extensions in Chrome browser to turn Likes into real results on Facebook.

Once you click the malicious links embedded in spam mail, messages or any hyperlinks, and download the extensions, the malware monitor your browser activity. If you are logged into Facebook with Chrome browser, it will GET hxxp:// (also hxxp://!)

The content of son.js in extension as following:



There two functions abone and sayfa2 in "hxxp://", the partial content as below:


The function abone is tracking someone:



The function sayfa2 is turning Likes for someone:



Why did malwares turn Likes on Facebook? As we know, "On underground forums in Russia, a page with 100,000 likes sells for about $150 to $200", a security researcher said. Yes, for the money obviously. 


For your internet browsing security and prevent malicious connection, we urge our customer to keep WebGuard signature up to date. 

by AegisLab,"