Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome

Facebook profile viewerThreatTrack security researcher Chris Boyd (aka “Paperghost”) has detailed the latest in a growing number of attacks posing as “Facebook Profile Viewer” applications, but which actually aim to make sinister changes to victims’ web browsers.

In a blog post Boyd explains how he came across a webpage on Tumblr with a name which suggested it could provide free lives for the famously addictive Candy Crush Saga Facebook game.

However, as you can see below, the webpage seems much more interested in encouraging you to find out who has been viewing your Facebook profile than improving your candy-matching skills:


Sign up to our free newsletter.
Security news, advice, and tips.

The fake Profile Viewer promotion encourages users to delve further, with the following instructions:

To activate your Profile Viewer… follow the simple instructions below.

Step 1: Click Scan button.
Step 2: Click download file ProfileViewersSetup.exe and click yes when prompted to start scanning who viewed your profile.
Step 3: Once you click yes the results will be available to you.

Sure enough, if you click the scan button you begin to download a Windows executable program called ProfileViewersSetup.exe. I tried downloading the program on a Mac computer, and it was proactively identified by Sophos as Mal/Generic-S.

Malicious threat detected

Boyd reports that ThreatTrack’s VIPRE product detects the file as Trojan.Win32.Clicker!BT.

But what if you weren’t running an anti-virus program capable of intercepting this malware? What would happen then?

Well, if you download and run the executable on a Windows computer, a new .xpi extension called “WhoViewS 5.2″ will be installed into your Firefox browser. Suspiciously, the extension gives its homepage as microsoft.com and uses an Adobe Flash logo as its avatar.


Boyd says that he and his fellow researchers at ThreatTrack are continuing to analyse the purpose of this extension, but it’s clear that it’s intentions are not good. In the past rogue Firefox extensions have been seen that interfere with your search settings, display pop-up advertising, redirect browsers to webpages that earn cybercriminals affiliate cash and so forth.

Indeed, if you’re not using Firefox on your computer but are a Chrome-lover instead you will find your preferred browser has started redirecting you to pages that ask you to complete surveys – again, with the intention of earning money for the scammers.

I’ve said it before, and I’ll say it again. There is *no* way that you can find out who has been looking at your Facebook profile. So putting your personal computer and data at risk by hunting for a solution.

If you want to learn more about the latest Facebook scams, and ways to protect yourself online, like the Graham Cluley Security News Facebook page.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome”

  1. spryte

    Is that just chrome?
    Or all chromium browsers?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.