Now ThreatTrack Security has discovered and is warning about a new campaign: "a Tumblr blog being used to spam so-called 'Profile Viewer' executables. These executables install dubious .xpi extensions in Firefox... and also cause some redirection shenanigans in Chrome", blogged Chris Boyd, ThreatTrack's senior threat researcher, yesterday.
The Tumblr blog in question is Candycrushsagafreelifes(dot)tumblr(dot)com. "In case you’re wondering," says Boyd, "Candy Crush Saga is a Facebook and smartphone game."
But if a user visits the Tumblr page in question, he or she gets a 'Welcome to Profile Viewer' page with a pop-up giving instructions on what to do next: "To activate your profile viewers and have access to see who viewed your profile and your photos follow simple instrusctions [obligatory typo scam giveaway] below."
Obviously it's not a 'profile viewer' – they don't exist. If the user proceeds, he gets a file called ProfileViewersSetup.exe which is a Firefox and Chrome add-on. "If Firefox is open, it will close completely for a few seconds before re-opening with a blink-and-you’ll-miss-it 'notification screen'... before closing again." The purpose would appear to be to prevent the user from canceling the installation.
The Firefox add-on doesn't do much, which may mean it's still under development: "we're still looking into it", says Boyd. The Chrome add-on, however, is more proactive. Opening the browser causes an immediate redirect to another fake profile viewer site which pops up the traditional survey forms "in an effort to make some affiliate cash from anybody willing to hand over their personal information / phone number / anything else to the third party advertisers."
The message from ThreatTrack is simple: don't fall for a profile viewer scam. Any user who thinks he may already have done so should check the browser's extensions. In this instance, advises Boyd, "For now, should you find “WhoViewS” in your Firefox extensions list you’ll want to disable if running, and hit the “Remove” button."