Russia-Linked Facebook Ads Targeted a Sketchy Chrome Extension at Teen Girls

Credit to Author: Issie Lapowsky| Date: Sat, 12 May 2018 12:40:08 +0000

Earlier this week, the Democrats on the House Intelligence Committee released roughly 3,500 Facebook and Instagram ads purchased by the Internet Research Agency, a notorious Russian troll farm. Among them: Ads purchased in May of 2016 that promoted a suspicious Chrome extension that gained wide access to the Facebook accounts and web browsing behavior of those who installed it.

The ads, dozens in total, prompted users to install the extension, a music app called FaceMusic; when they did, some users reported that it began messaging all of their Facebook friends. The landing page for the ads, musicfb.info, was registered in April of 2016 in St. Petersburg, Russia, where the IRA is based.

The most successful ad, which yielded 28 clicks, specifically targeted American girls, ages 14 to 17, who Facebook classified as interested in free software and music. Other ads for FaceMusic targeted interest categories like Shazam, Spotify, Apple Music, or Soundcloud.

The ads containing the extension, purchased by the IRA's phony anti-immigrant Facebook page Stop All Invaders, were discovered by Jonathan Albright, director of research at Columbia University's Tow Center for Digital Journalism.

"Why would an anti-immigrant Russian Facebook Page be spending money to promote a music app?" Albright says.

The landing site that the ad directed to, musicfb.info, is no longer active, but an archived version advertises a “unique browser extension, which allows you to play your favorite music on Facebook for free and share it with your friends.”

The extension is no longer active in the Chrome Web Store, either, and a Google spokesperson confirmed the company had also removed it from users' devices. "When we discover malicious extensions, we remove them from the Chrome Web Store and from every user's computer that has downloaded them," the spokesperson said. "We suspend the developer and remove their other extensions from the Store as well."

Facebook could not confirm the number of people who signed into the extension through Facebook. It's also unclear how many installed the extension after seeing the IRA's Facebook ads. In total, the ads received just over 80 clicks, according to the metadata released by Facebook. Most of the ads received no clicks at all, likely because they had nothing to do with the other content posted by the Stop All Invaders page, which included, among other things, photoshopped memes calling President Obama "a mere pawn in the hands of the Arabian Sheikhs."

Facebook also wasn’t the only platform where the IRA promoted FaceMusic. A Reddit user named Rubinjer, which Reddit has since identified as linked to the IRA, also posted it to the subreddit r/UsefulWebsites.

Though the extension has been removed from the Chrome Web Store, Jérôme Segura, a researcher at the security firm Malwarebytes Labs, found an archived version of FaceMusic and installed it manually. He found that the extension asked users for permission to "read and change all your data on the websites you visit, display notifications, and modify data you copy and paste."

It also had permission to post to users’ Facebook timelines and message their friends. It apparently took full advantage. In June of 2016, a month after the IRA’s ads went live, one user took to the online photo-sharing site Imgur to complain that FaceMusic had spammed their friends with Facebook messages. "Facemusic sent a direct link to download their extension, to 100+ of my friends," the user wrote. "PLEASE, DO NOT GET 'Facemusic'!!! If you have it, GET RID OF IT IMMEDIATELY, change your FB password, and [perform] a virus scan." Several other users responded that the same had happened to them.

"We’ve seen examples of using a lure, like a music app or a game, for other purposes," says Segura. He notes, though, that the extension itself doesn't seem to contain malicious code, and received a clean bill of health from more than 50 antivirus engines. Instead, it used Facebook and Google's generous permissions to access users' data and message their friends.

Segura says that these permissions, while broad, are fairly standard for Chrome extensions, which often overreach the boundaries of privacy. "They have too many privileges. You download a game and all you want is the game, but the game wants contacts from your phone," he says. In the hands of a group like the IRA, that kind of unchecked power can go very wrong.

https://www.wired.com/category/security/feed/