A new malware campaign has been discovered on social media which spreads through via Facebook is stealing users social media credentials and downloading crypto mining code on victims’ systems.
The malware is known as Nigelthorn, and was discovered by the Radware researchers in May only, but was active March 2018. and it has already infected more than 100,000 users globally.
The new campaign focuses on the social media websites, but its main victim is Facebook’s users. The malware abuses a legitimate Google Chrome extension called “Nigelify,” to bypass validation check by Google.
According to the researchers, “the malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video. Once the user clicks on “Add Extension,” the malicious extension is installed, and the machine is now part of the botnet.”
“This is done to trick users and retrieve access to their Facebook account. Over 75 percent of the infections cover the Philippines, Venezuela, and Ecuador. The remaining 25 percent are distributed over 97 other countries,” said researchers.
A Google spokesperson told Threatpost that “we removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted.”