Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome

Facebook profile viewer ThreatTrack security researcher Chris Boyd (aka “Paperghost”) has detailed the latest in a growing number of attacks posing as “Facebook Profile Viewer” applications, but which actually aim to make sinister changes to victims’ web browsers.

In a blog post Boyd explains how he came across a webpage on Tumblr with a name which suggested it could provide free lives for the famously addictive Candy Crush Saga Facebook game.

However, as you can see below, the webpage seems much more interested in encouraging you to find out who has been viewing your Facebook profile than improving your candy-matching skills:


Sign up to our free newsletter.
Security news, advice, and tips.

The fake Profile Viewer promotion encourages users to delve further, with the following instructions:

To activate your Profile Viewer… follow the simple instructions below.

Step 1: Click Scan button.
Step 2: Click download file ProfileViewersSetup.exe and click yes when prompted to start scanning who viewed your profile.
Step 3: Once you click yes the results will be available to you.

Sure enough, if you click the scan button you begin to download a Windows executable program called ProfileViewersSetup.exe. I tried downloading the program on a Mac computer, and it was proactively identified by Sophos as Mal/Generic-S.

Malicious threat detected

Boyd reports that ThreatTrack’s VIPRE product detects the file as Trojan.Win32.Clicker!BT.

But what if you weren’t running an anti-virus program capable of intercepting this malware? What would happen then?

Well, if you download and run the executable on a Windows computer, a new .xpi extension called “WhoViewS 5.2″ will be installed into your Firefox browser. Suspiciously, the extension gives its homepage as microsoft.com and uses an Adobe Flash logo as its avatar.


Boyd says that he and his fellow researchers at ThreatTrack are continuing to analyse the purpose of this extension, but it’s clear that it’s intentions are not good. In the past rogue Firefox extensions have been seen that interfere with your search settings, display pop-up advertising, redirect browsers to webpages that earn cybercriminals affiliate cash and so forth.

Indeed, if you’re not using Firefox on your computer but are a Chrome-lover instead you will find your preferred browser has started redirecting you to pages that ask you to complete surveys – again, with the intention of earning money for the scammers.

I’ve said it before, and I’ll say it again. There is *no* way that you can find out who has been looking at your Facebook profile. So putting your personal computer and data at risk by hunting for a solution.

If you want to learn more about the latest Facebook scams, and ways to protect yourself online, like the Graham Cluley Security News Facebook page.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

One comment on “Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome”

  1. spryte

    Is that just chrome?
    Or all chromium browsers?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.