So far, only Chrome and Firefox extensions have been spotted.
Once installed, they try to update themselves, and they pick up a configuration file containing a list of commands ("Like" a page, Share, Post, Join a group, Invite friend to a group, Chat to Friends, Comment on a post") from another website.
Once the user is logged into Facebook, the extension springs into action, and first posts a message with a link that supposedly takes other potential victims to a website offering a video, but probably asks them to install the extension masquerading as a "YouTube Player" or and update for Flash Player.
To be fair, Microsoft has not revealed how the malicious extensions get installed by the user - this above is only my own conjecture.
The site has been blocked by Facebook, but others can easily pop up.
It then tries to "Like" and post a comment on a Facebook page advertising the Chevrolet Celta produced by General Motors do Brasil, then attempts to promote it and contests that supposedly award it to the winners via messages that contain links to a website that sells cars.
According to Microsoft, the threat is spreading relatively fast if we are to judge by the "likes", comments and shared links that pop up referencing the page.
"There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection," they say, adding that its own products detect it as Trojan:JS/Febipos.A.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.