Bitdefender Labs recently reported that a site showing kittens and unicorns suggested users download a “business flash” plugin in order to see a video. At this point the plugin takes control of the user’s computer allowing cookie information to be taken and replicated on another computer – effectively locking a user out of their social networking account.
Bitdefender describes the people behind this scheme as crooks which makes this story more interesting as this exploit seems to be designed to “borrow” a user’s identity. If your account isn’t taken over, the extension sits on your computer and can continue to like site after site without your approval.
While identity theft laws likely come into play here, the interesting area of this scheme is ascertaining damages. After all, a bank account isn’t being cleaned out. You can imagine a judge saying ok, so this person installed software on your computer which made it appear as if you liked a site which you never heard of… Big deal!
So what’s in it for the scammers? Bitdefender Labs discovered a recently created blank page with 40,000 likes due to this scheme. A site with 100,000 likes sells for $150,000-$200,000 or slightly less than an entry-level Ferrari. Not bad work if you can get it – moreover if this is really a grey area of hacking we can expect to see a lot more energy devoted to such exploits. I wonder if retweets on Twitter and repins on Pinterest are fertile areas for future scams.