On April 30th, 2018 Trendmicro.com cyber intelligence specialists reported a discovery of a malicious Google Chrome extension called FacexWorm using Facebook’s Messenger to target cryptocurrency trading platforms. So far only one successfully hijacked FacexWorm Bitcoin transaction has been identified, however the amount is still unknown.
FacexWorm extension has been know for cyber researchers since last August, 2017, yet its mechanisms and targets weren’t clear to analysts, however recent research has showed that the same FacexWorm’s capabilities were remade to use socially engineered links in Facebook’s Messenger redirecting victims and their friends to cryptocurrency referral scams, similar to Digmine.
FacexWorm works through malicious socially engineered links in Facebook’s Messenger
Firstly, FacexWorm distributes links through a Messenger to the friends of an infected person’s account, which redirect to a fake YouTube page. In order to watch a video “your friend” has sent you, page requires to install a codec extension, which actually is the FacexWorm itself. If the user does agree, it requests permission to access and change data on the opened website.
Once the permission is granted additional malicious codes are downloaded from C&C server and then the extension gets into Facebook. FacexWorm requests an OAuth access token from social messenger and starts sending same fake YouTube links to victim’s contacts who are online.
FacexWorm extension works only on Google Chrome and if the infected link is opened by other browser then it redirects user to a random advertisement.
FacexWorm is not a real extension but rather a clone that looks similar. When installed it injects its files into the system to finally take over.
Trend Micro accentuates these 5 main malicious FacexWorm behaviours:
- Stealing credentials from Google, MyMonero and Coinhive once the user logs in
- Pushes crypto-scam. If users browses anything related to crypto currencies it triggers FacexWorm to redirect them to scam a page which promises to send 5-100 ETH, if they pay 0.5-10 ether for verification. This of course goes into attacker’s wallet.
- Injects web crypto-miner
- Hijacks crypto transactions. When the infected victim tries to make a crypto-transaction on a some popular crypto-trading platforms like Poloniex, HitBTC, Bitfinex, Ethfinex, Binance, extension locates and changes the keyed users address and replaces it with the attackers address instead.
- Redirects victims to referral links to earn from every registered account in Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare
To avoid infection users suggested to practice good security habits
Even though, Chrome Web Store keeps FacexWorm extensions from constant uploads by crooks and Messenger tries to monitor the malicious link activities by blocking them, Trend Micro specialists warns Chrome users to always use caution using websites, installing and giving permission to new unknown software programs. Company has reached out to Facebook with their recent findings to which Facebook officials replied:
We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.
Whether or not Facebook’s efforts to protect its users are enough, unfortunately it casts another additional shade on already scandalous social networking company.