Crooks Exploit Facebook to Spread Crypto-miner Malware

Social networks are a privileged attack vector that could be used by cybercriminals to spread malware to a wide audience.

In the last month’s security experts discovered many strains of malware that were delivered through social networks, but recently with a growing interest in cryptocurrencies, crooks started using a platform like Facebook to spread cryptocurrency miners.

A few weeks ago, security experts at Trend Micro have discovered a new threat spreading through Facebook messenger.

Security researchers spotted a malicious Chrome extension, dubbed FacexWorm, which is spreading through Facebook Messenger and targeting users of cryptocurrency trading platforms to steal their accounts’ credentials and run cryptocurrency mining scripts.

“Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger,” reads the report published by Trend Micro.

The FacexWorm threat was first detected in late April and appears to be linked to two other Facebook Messenger spam campaigns that we will analyze later; one occurred in August 2017 and a second one that was launched in December 2017 to spread the Digmine cryptocurrency miner.

The malware experts observed a spike in FacexWorm activity, numerous infections were detected in several countries, including GermanyTunisiaJapanTaiwanSouth Korea, and Spain.

FacexWorm implements several features, including stealing account credentials from websites, like Google and cryptocurrency sites, redirecting victims to rogue cryptocurrency sites, injecting cryptocurrency miners, and redirecting victims to the attacker’s referral link for cryptocurrency-related referral programs.

The following image shows the FacexWorm’s infection chain; all starts with an apparently harmful link to a video that is shared via Facebook Messenger

Figure 1 – FacexWorm attack chain (Trend Micro)

FacexWorm propagates through links sent over Facebook Messenger to friends of an affected Facebook account. The (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/vj6KxgoG9rI/