Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Simple Facebook Notification Infects Over 10,000 Windows OS Facebook Users in 48 Hours

Thousands of Facebook users have been infected by a new kind of malware that takes over a Facebook user's account in a latest phishing scheme which works in two ways. It all starts from a simple Facebook notification which when you click on it will launch a two stage attack on your Facebook account.

It's usual to receive a notification about something on Facebook and we never even think twice about clicking on it. However that simple action can now bring about a lot more than just getting to see what your friend said on something such as some dumb funny video or something. And cyber criminals are using this irresistible nature to attack Facebook users.

Facebook is the worlds biggest social networking site and is used by billions of people all around the world. However because it's the biggest, it's also the most susceptible to attack and makes it a bigger target for cyber criminals to target and try to run malicious scripts on. In their latest campaign, they launch a two stage attack that starts when you click on a simple notification. After which a malicious file tries to take control of the users browser and then terminates their current browser session and replaces it with a malicious one that contains a tab to a legitimate looking Facebook login page which is designed to lure the victim back to Facebook but then steals their login details.

As soon as the victim logs back into the Facebook their session is hijacked and the malware begins to download and install more malware. It will attempt to change the privacy settings in your browser and even try taking over your account and PC to install scripts which can be used for malicious activities on your PC without your knowledge. This ranges from ID theft, spam and more. However before all this happens, the malware starts by sending the same phishing notification to all your friends who all think it's a genuine notification and so the malicious cycle begins all over again.


This phishing scam was discovered by Kaspersky Labs on June the 26th who found out that over 10,000 Facebook users have been infected by the malware in as little as 48 hours. The true figure from then to now could run into 100's of thousands of infected users all blindly sending the same infected notification to people. However while it was a global attack most users effected were in Brazil, Poland, Peru, Israel, and Mexico.

Are you infected?

While this only effects/affects people on the Windows OS such as Windows phone users. You can find out if you've been infected by this particular Facebook malware phishing scam.

If you're a Chrome user

Look for an extension called "thnudoaitawxjvuGB"

If you're a Mozilla user

Go to StartRun >
Copy and run this command "%AppData%\Mozila"
Look for any folders and files called, "autoit.exe" or "ekl.au3"

If you can see any extensions of files or folders called this then you are definitely infected!

Since the phishing attack discovery, Google have removed the extensions from the Chrome Web Store which was used to launch the malicious phishing attacks on unsuspecting people. The particular phishing malware only affected Windows OS's and Windows mobile devices also. iOS and Android users were fully immune from the attack due to the malware libraries not being compatible with these OS's.