Facebook Circulating ‘Who’s Viewed Your Profile’ Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating “Who’s Viewed Your Profile” campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe’s Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of “offering what’s not being offered in general”, next to hosting the rogue files on legitimate service providers — Google Docs and Dropbox in this particular case — the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let’s dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign’s GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me –

Known to have responded to the same IP are also the following domains:

Google Docs Hosted PUA URLs:

Dropbox Firefox Add-on/Android APK Hosted URLs:

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 – detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b – detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b – detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae – detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to

Time to (conservatively) assess the campaign’s damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook’s users into thinking that they can eventually see who’s viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends’ Walls, are advised to consider reporting the campaign back to Facebook, immediately.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *