A 19-year-old Danish computer science student announced his discovery this week of a series of malicious Google Chrome browser extensions that hijacked users’ Facebook accounts to engage in click fraud.

According to the student, Maxime Kjaer, he discovered the scam after he noticed one of his Facebook friends who consistently posted suspicious-seeming clickbait stories. Curious, he decided to investigate.

Now I know my friend; he’s a smart guy, so I don’t really see him liking tons of this (frankly) crap content,” Kjaer wrote. “I decided to go down the rabbit hole and see what this was all about.”

He discovered a website with adult content that said he needed to verify his age by installing a Google Chrome extension. He then analyzed the extension’s metadata and found that it was concealing malware that would hijack a victim’s Facebook account to generate false likes for a click fraud campaign.

“As soon as I found out about the extension, I told [my friend] to uninstall it, log out and then log in again to his Facebook account to gain new access tokens,” Kjaer told SC Magazine. “My friend told me that I was the first to notice it. He immediately unliked everything that the malware had liked for him, and I definitely think that he was glad to have it gone.”

If you notice one of your Facebook friends posting fishy links like this, do them a favor and let them know. It’s also a good idea to take a look at your own likes to make sure they’re really your own.  As always, be careful what apps or browser extensions you choose to install!