Malicious Chrome extension FacexWorm crypto-hijacking via Facebook

On April 30th, 2018 cyber intelligence specialists reported a discovery of a malicious Google Chrome extension called FacexWorm using Facebook’s Messenger to target cryptocurrency trading platforms. So far only one successfully hijacked FacexWorm Bitcoin transaction has been identified, however the amount is still unknown.

facebook chrome facexworm

FacexWorm extension has been know for cyber researchers since last August, 2017, yet its mechanisms and targets weren’t clear to analysts, however recent research has showed that the same FacexWorm’s capabilities were remade to use socially engineered links in Facebook’s Messenger redirecting victims and their friends to cryptocurrency referral scams, similar to Digmine.

FacexWorm works through malicious socially engineered links in Facebook’s Messenger

Firstly, FacexWorm distributes links through a Messenger to the friends of an infected person’s account, which redirect to a fake YouTube page. In order to watch a video “your friend” has sent you, page requires to install a codec extension, which actually is the FacexWorm itself. If the user does agree, it requests permission to access and change data on the opened website.

Once the permission is granted additional malicious codes are downloaded from C&C server and then the extension gets into Facebook. FacexWorm requests an OAuth access token from social messenger and starts sending same fake YouTube links to victim’s contacts who are online.

FacexWorm extension works only on Google Chrome and if the infected link is opened by other browser then it redirects user to a random advertisement.

facebook facexworm extension

FacexWorm is not a real extension but rather a clone that looks similar. When installed it injects its files into the system to finally take over.

Trend Micro accentuates these 5 main malicious FacexWorm behaviours:

  1. Stealing credentials from Google, MyMonero and Coinhive once the user logs in
  2. Pushes crypto-scam. If users browses anything related to crypto currencies it triggers FacexWorm to redirect them to scam a page which promises to send 5-100 ETH, if they pay 0.5-10 ether for verification. This of course goes into attacker’s wallet.
  3. Injects web crypto-miner
  4. Hijacks crypto transactions. When the infected victim tries to make a crypto-transaction on a some popular crypto-trading platforms like Poloniex, HitBTC, Bitfinex, Ethfinex, Binance, extension locates and changes the keyed users address and replaces it with the attackers address instead.
  5. Redirects victims to referral links to earn from every registered account in Binance, DigitalOcean,,, and HashFlare

To avoid infection users suggested to practice good security habits

Even though, Chrome Web Store keeps FacexWorm extensions from constant uploads by crooks and Messenger tries to monitor the malicious link activities by blocking them, Trend Micro specialists warns Chrome users to always use caution using websites, installing and giving permission to new unknown software programs. Company has reached out to Facebook with their recent findings to which Facebook officials replied:

We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on

Whether or not Facebook’s efforts to protect its users are enough, unfortunately it casts another additional shade on already scandalous social networking company.


Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments