April 14, 2016 | Bratislava | Press Releases

ESET Analyzed Another Scam Luring Facebook Users into Downloading Malware

ESET researchers analyzed a scam campaign on Facebook that spreads a malicious browser plugin via social engineering techniques. The attack starts by luring a Facebook user into playing a video, most often titled “My first video”, “My video” or “Private video”. After clicking on the link, the victim is directed to a fake YouTube website where, instead of downloading and playing the video, he/she is requested to install an additional extension:

Sorry, if you don't install Video Play plugin, you will not be able to watch the video!

Click 'Add Extension' to watch the Video

The extension is a malicious version of the otherwise legitimate “Make a GIF” plug-in. ESET detects this threat as JS/Kilim.SO and JS/Kilim.RG and users of ESET security products are protected from it.

If the victim installs the malicious plug-in, his/her browser becomes infected and carries the infiltration further: his/her Facebook wall becomes flooded with fake video posts tagging multiple friends from their friends list and subsequently, all online friends will receive an identical message via Messenger with the same harmful contents.

At the beginning of April, 2016, ESET systems detected this threat more than 10,000 times in dozens of countries around the world.

“The malicious campaign is spreading spam messages and infecting Facebook accounts with a very high rate of success. At this point, the infiltration only targets Chrome users, but there is no guarantee that it will not spread to other browsers in the future. Also, it has potential to become more dangerous in the future, spreading other, more powerful malware with new capabilities. ,” comments Lukas Stefanko, ESET Malware Researcher.


ESET researchers have prepared a recommendation for victims of this scam: 

  • Immediately remove the malicious “Make a GIF” extension from your Chrome browser.

Either type “chrome://extensions/” into the address bar or go to Customize and control Google Chrome -> More tools -> Extensions -> Make a GIF -> Remove from Chrome. If you also use the legitimate “Make a GIF” extension, use the pictures below to distinguish the original version from the infected one.



Figure 1 Infected and not infected extension


 Figure 2 Clean variant of Make a GIF

If you click on Details -> View in store, you will see details about extension.


Figure 3 Infected Make a GIF

Additional details about the scam, as well as ESET’s recommendations to avoid falling victim to it, can be found in an article on ESET’s official blog, WeLiveSecurity.com


About ESET

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on  LinkedInFacebook and  Twitter.