Facebook Messenger was plagued, back in August last year, with a form of malware that sent out fake messages in an attempt to steal passwords and other sensitive information from users on the platform. It seems the malware is back for strike two as it has been spotted stealing data and cryptocurrency from users on the messaging app. It reportedly directs users to fake links where it urges users to install fake Chrome extensions.
Dubbed FacexWorm by the researchers over at security firm Trend Micro, this malware reportedly has had its capabilities transformed and now has a second stint at spreading itself across Facebook and Google Chrome. FacexWorm has added new abilities that include pushing indigenous cryptocurrency scams, mining infected systems for cryptocurrency, and stealing account credentials from websites. A socially engineered fake YouTube page is sent to unsuspecting Facebook Messenger users prompting them to install a codec extension from where it gets installed on their systems. A Facebook share link enables the malware to reach other people in your friend list as well, and possibly infect their systems as well.
Interestingly enough, the blog post states, FacexWorm malware specifically targets cryptocurrency trading portals by searching for keywords such as 'blockchain' and 'ethereum' present in the URL. Once detected, it will apparently prompt the user to verify wallet address payment by sending a token amount of Ether. While there seems to be no possibility of getting the money back, researchers say only one Bitcoin transaction has been compromised in the ordeal yet.
The Trend Micro blog suggests this to be FacexWorm's malicious behaviour - steal the user's account credentials for Google, MyMonero, and Coinhive; push a cryptocurrency scam, conduct malicious web cryptocurrency mining, hijack cryptocurrenty-related transactions, and earn from cryptocurrency-related referral programmes.