Malicious Chrome Extension Mined Cryptocurrency via Facebook | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Malicious Chrome Extension Mined Cryptocurrency via Facebook

by Chris Brook on Tuesday May 1, 2018

Contact Us
Free Demo

A Chrome extension has been removed from Google's webstore that was found spreading through Facebook, stealing passwords and cryptocurrency.

The authors of a malicious Chrome extension recently retooled the threat to spread via Facebook Messenger and mine cryptocurrency.

The extension, FacexWorm, was removed from Google’s Chrome webstore last month and Facebook can now detect and block when malicious links are shared through Messenger via the extension.

Researchers with Trend Micro's TrendLabs, acknowledged Monday that a previous iteration of the extension was first discovered last fall but said that the firm noticed a spike in activity surrounding FacexWorm early last month. Specifically researchers claim there were reports of the platform spreading malicious links in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.

Victims who click through the malicious link, sent via Messenger, are redirected to a phony YouTube page that prompts them to download FacexWorm. The extension then opens Facebook, requests an OAuth token from the site, and essentially steals the victim's friends list, sending any user online or idle a message pushing the same fake YouTube video out.

While unnamed at the time, David Jacoby, a Senior Security Researcher with Kaspersky Lab's Global Research & Analysis Team, discovered the malware/adware last August. Similar to TrendMicro's findings, Jacoby observed the malware redirecting victims to a fake YouTube video while on Chrome.

What the latest version of FacexWorm is really after, like many strains of malware these days, is digital money, cryptocurrency. While the extension can ping its command and control server for JavaScript code to steal Google credentials, it's also interested in any logins the victim may have for MyMonero, a wallet that allows users to send and receive Monero, and Coinhive, a service that allows users to embed JavaScript miners for the Monero Blockchain.

Monero has been around since 2014 but it's only been in the last year or so that the untraceable open source cryptocurrency has caught on with cybercriminals.

The extension, at times, can be downright greedy when it comes to cryptocurrency. If a user enters in words like “blockchain,” “eth-,” or “ethereum” in the URL bar it will redirect them to a scam site that lures them to pay ether, ETH, to the attacker. Naturally the extension also mines cryptocurrency, something that hijacks 20 percent of victim's machines, via Coinhive, and attempts to trick users into clicking through referral links for sites.

Researchers say it's uncertain how successful the campaign has been; they've only seen one Bitcoin transaction to date connected to the attackers' wallet.
Joseph Chen, a fraud researcher with the firm, claims attackers continue to upload new versions of the extension to the Chrome store but that Google has remained vigilant when it comes to removing them.

Facebook, which now blocks cryptocurrency-focused socially engineered links like this automatically, circulated the same statement this week it shared in December, when researchers with Trend Micro uncovered another variant of cryptocurrency mining malware, Digmine, propagating via Facebook Messenger.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on”

Trend Micro doesn't say exactly when Google removed the extension but it's likely the timeline coincided with an announcement from the company last month that it would no longer accept Chrome extensions that mine cryptocurrency. Google said it will fully delist extensions in late June; given FacexWorm was doing more than just mine cryptocurrency, it's not surprising the company worked quickly to eradicate it.

Tags: Security News, Malware, Cryptocurrency, Social Media Security

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.