A Cyber Safety Solutions team has identified a malicious Chrome extension FacexWorm, which target cryptocurrency exchanges via Facebook Messenger, cybersecurity company Trend Micro reported.
Trend Micro said in a blog post that “FacexWorm isn’t new. It was uncovered in August 2017, though its whys and hows were still unclear at the time. Last April 8, however, we noticed a spike in its activities that coincided with external reports of FacexWorm surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.”
The malicious chrome extension affects a variety of major exchanges including Poloniex, HitBTC, Bitfinex, Ethfinex, Binance in addition to Blockchain’s (previously Blockchain.info) crypto wallet by hijacking their cryptocurrency transactions.
The security team had found one faulty bitcoin transaction, but they were not able to identify the value of the transaction.
“It retains the routine of the listing and sending socially engineered links to the friends of an affected Facebook account, just like Diamine. But now it can also steal accounts and credentials of FacexWorm’s websites of interest. It also redirects would-be victims to cryptocurrency scams, injects malicious mining codes on the webpage, redirects to the attacker’s referral link for cryptocurrency-related referral programs, and hijacks transactions in trading platforms and web wallets by replacing the recipient address with the attacker’s,” Trend Micro blog post.
Meanwhile, Chrome had banned cryptocurrency mining extensions much before Trend Micro’s discovery.
Trend Micro advised users to “think before sharing, be more prudent against unsolicited or suspicious messages and enable tighter privacy settings for your social media accounts.”