The malicious Chrome extension FacexWorm is targeting cryptocurrency trading platforms via Facebook Messenger in order to steal account credentials for Google MyMonero and Coinhive.
The malware was first spotted in August 2017, however, Trend Micro researchers noticed an uptick in activities that coincided with external reports of FacexWorm surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain, according to an April 30, 2018 blog post.
The malware sends socially engineered links to the friends of an affected user’s Facebook account to redirect would-be victims to cryptocurrency scams, inject malicious mining codes on the webpage and redirect to the attacker’s referral link for cryptocurrency-related referral programs.
FacexWorm also hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s, researchers said in the post. The malicious links lead to fake YouTube pages that aks unsuspecting users to play the video on the page which will then request privilege to access and change data on the opened website thus initiating the attack.
Researchers noted the Chrome Web Store had removed many of the malicious extension extensions prior to being contacted by the researchers however the attacker has been persistent in uploading it back to the store. Facebook messenger can also detect the malicious links and block the propagation behavior of the affected account, researchers said.