Password Stealing Malware on FB Messenger

By:  |  Category: Blog, Security Friday, May 11th, 2018  |  No Comments
Password Stealing

A variant of malware using fake Facebook Messenger messages to infect other users has re-emerged with new schemes to steal passwords, steal cryptocurrency and participate in cryptojacking.

The scam was first discovered in August last year with the malware using phishing messages over Facebook Messenger to direct victims to fake versions of websites like YouTube, where they are instructed to download a malicious Chrome extension.

The malware has laid low since then, at least until April when it appears to have suddenly surged in activity, targeting Facebook users around the world.

Analysis by researchers at security company Trend Micro – which has named the malware FacexWorm – said that while the malicious software is still spread via Facebook and exploits Google Chrome, many of its capabilities have been completely reworked.

New abilities include the capability to steal account credentials from selected websites, such as Google as well as cryptocurrency websites. It also pushes cryptocurrency scams of its own and mines infected systems for additional currency.

But in order to conduct any of this activity, the malware needs to be installed on the system of a victim. Victims received a link out of the blue from a Facebook contact which directs them to a fake YouTube page.

The page asks the victim to install a codec extension to play the video. If run, this extension will install FacexWorm, which asks for permissions to access the site and change data.

This worm enables contact with the command and control server to access Facebook. This connection results in more fake YouTube links being sent to contacts to continue the spread of the malware.

FacexWorm itself is a clone of a normal Google Chrome extension, but injected with malicious code. This is delivered by downloading additional JavaScript code each time the browser is opened and whenever a new website is opened.


If the malware is coded to retrieve credentials from that site, it retrieves additional Javascript in order to execute additional behaviours, which include stealing login credentials.

In addition to this, the malware targets those using cryptocurrency trading platforms by searching for keywords like ‘blockchain’ and ‘etherium’ in the URL.
If this is detected, FacexWorm sends users to a scam webpage which asks the user to send anywhere between 0.5 and 10 of the Ether cryptocurrency for ‘wallet address verification’ with a promise it will send more back. Obviously, if a user does this, they’ll get nothing back at all – fortunately, researchers say nobody has sent money to the address.

However, the attackers also attempt to maliciously earn cryptocurrency via other means, including the use of attacker-controlled referral links which provide them with some income each time users buy currency via the link.

FacexWorm also injects the victim with a cryptocurrency miner. Researchers say the miner uses just 20 percent of the infected system’s CPU, a tactic likely adopted to ensure the miner isn’t discovered.

But the malware does contain a mechanism to keep itself hidden; if the extension management tab is opened, FacexWorm will immediately close it, a protection method also used by malicious extensions such as DroidClub.

While Trend Micro says malicious extensions are quickly removed from the Chrome Web Store, the attackers are quick to re-upload them.

Facebook is aware of the malware and said that Messenger can stop the spread of malicious links.

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners,” the company said in a statement.

In order to avoid becoming infected in the first place, Trend Micro warns users to: “Think before sharing, be more prudent against unsolicited or suspicious messages, and enable tighter privacy settings for your social media accounts.

If you need help with cybersecurity give EnhnacedTECH a call at 714-970-9330 or contact us at [email protected]


Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller

Latest posts by Samantha Keller (see all)

Leave a Comment
Read previous post:
2-Factor Authentification
Hackers Bypassing 2-Factor Authentification

There is a scary new exploit out in the wild. KnowBe4's Chief Hacking Officer Kevin Mitnick reveals some startling news....