If you came across a celebrity sex video on Facebook featuring Jessica Alba or any other celebrity, just avoid clicking it.
Another Facebook scam is circulating across the social networking website that attempts to trick Facebook users into clicking on a link for a celebrity sex tape that instead downloads malware onto their computers.
Once installed, the malware would force web browsers to display aggressive advertising web pages which include sites with nudity and fake lotteries.
The spam campaign was uncovered by researchers at Cyren, who noted that a malicious Google Chrome extension is spreading nude celebrity PDFs through private messages and posts on various Facebook groups.
If opened, the PDF file takes victims to a web page with an image containing a play button, tricking users that the PDF may contain a video.
Once clicked, the link redirects users of Internet Explorer, Firefox, or Safari to a web page with overly-aggressive popups and advertisements related to nudity and fake lottery.
But on the other hand, this celebrity sex tape scam makes the matter worse for Google Chrome users.
The Scam is Fatal for Google Chrome Users
Once clicked on the scam link, Chrome desktop users are redirected to a fake YouTube page that leads up a pop-up window inviting victims to install a Google Chrome extension to view the videos.
Once victims get to install the malicious extension, the browser directs users to the Facebook.com login page and prompt them to re-authenticate, allowing attackers to collect Facebook users’ credentials and then use their accounts to spread the malicious campaign further.
When analyzed the Chrome extension’s source code, the Cyren team discovered that the extension comes with support for monitoring and intercepting web traffic in real-time, to determine what users can access through their browsers.
The malicious Chrome extension contains a long list of Antivirus and AntiSpam domains that it blocks and prevents the user from opening.
Besides this, the malicious Chrome extension also prevents victims from accessing the Chrome Extensions settings page, so that victims can not disable the malicious add-on.
"It also blocks the chrome extensions and chrome devtools tabs from being opened, preventing the user from uninstalling the malicious Chrome extension," the researchers say.
The PDF uploaded to Facebook is generated by selecting the name of a celebrity randomly from the script file and combining the selected name with random characters.
The name of celebrities includes Selena Gomez, Jessica Alba, Jennifer Lawrence, Hilary Duff, Paris Hilton, Rihanna, Kim Kardashian, Scarlett Johansson, Kelly Brook, Doutzen Kroes, Elodie Varlet and Nicki Minaj.
According to Cyren researchers, the cyber criminals behind this malicious spam campaign managed to upload their extension to the Chrome Web Store, though the extension has since been removed by the Google’s security team.
How to remove the Malicious Chrome Extension?
To remove this malicious extension, the infected users would first have to delete the Registry key from the Registry Editor.
To do this, Go to Start Button → Type "regedit" in the Search/Run option, which will open the Windows Registry Editor.
Now, use the side menu in the new window to find the folder below, right-click it and select "Remove."
This is the path to the Registry Editor:
Now the second step is to remove the extension from the browser. Since the malicious Chrome extension prevents victims from accessing the native Chrome Extensions settings page, one must remove the extension by deleting the following folder from one’s PC.
This action will remove all Chrome extensions from your computer. You have no option other than deleting the folder completely to get rid of the malicious threat, as you can not access the Chrome Extensions settings page to get the ID of the malicious extension.
Last but not the least, no celebrity recently have had their sex tape leaked (at least not one that’s available online). So if you come across any link claiming to show a leaked sex tape of Jessica Alba, Jennifer Lawrence or any other, remember just to report it.