The security firm Radware has recently discovered seven malicious Chrome Extensions that steal Facebook and Instagram credentials of users and install cryptocurrency miners on infected devices. Among the malicious extensions that the security researchers have recently identified include Nigelify, PwnerLike, Alt-j, Fix-case, Divinity 2 Original Sin: Wiki Skill Popup, Keeprivate, and iHabno. The seven extensions were able to infect more than 100,000 computers although five extensions were quickly removed by the search giant in less than a day. On the other hand, the Nigelify and PwnerLike extensions were only removed after Radware reported the malware to the search giant. More than 75-percent of users affected by the malicious extensions are located in the Philippines, Venezuela, and Ecuador.
Researchers from Radware mentioned that the developers of the extensions successfully evaded the application validation tools of the search giant by copying a legitimate extension and then adding a script that triggers the malware incorporated into the extension. The malware is distributed primarily through the links that are disseminated either through Facebook Messenger or through a post that tags up to 50 contacts of the affected user. Once a user clicks on the link, they are automatically redirected to a fake YouTube page, which requests the person to download an extension. The page claims that the extension is necessary to play the video clip. After installing the malicious extension, the malware will then attempt to steal the Facebook and Instagram login credentials of the user, and the program will then take advantage of the stolen credentials to gather information necessary for the propagation of malware. In addition to stealing credentials, the extensions also install cryptocurrency miners that mine Monero, Bytecoin, and Electroneum. The research firm stated that the malware developers may have successfully mined around $1000 worth of digital coin. To prevent users from removing the extension, the malware automatically closes the Chrome Extensions tab when it is opened by the user.
Within the last few months, malware designed to steal the Facebook login credentials of users have been discovered by security firms. Among them is the FacexWorm, a malware embedded into the Koblo extension. Like the recently discovered extensions, this malware claims to be a codec add-on for the Chrome browser. Another example of a malware that steals Facebook credentials is the Stresspaint malware, which has successfully stolen the credentials of around 45,000 Facebook users.