Malware spread via malicious Chrome extensions steal Facebook login details


Google Chrome users have been put on alert after several popular extensions available to download from the Chrome Web Store were found to be stealing data.

The malicious extension were discovered by cyber security firm Radware, who say they were deployed by hackers to steal login details, take part in crypto mining and carry out fraud campaigns.

“This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension – the ‘Nigelify’ application,” the Radware said in a blog post.

Radware researchers said the malware had been active since March and had infected 100,00 users in more than 100 countries.

Hackers spread the malware using engineered links on Facebook, with users directed to a fake version of YouTube where they were then asked to install the Chrome extension in order to play the video.

Once infected users were then directed to Facebook where the malware stole their login credentials.

“Facebook malware campaigns are not new,” researchers from Radware said.

“Examples of similar operations include facexworm and digimine, but this group appears to have been undetected until now thanks to the campaign consistently changing applications and the use of an evasive mechanism for spreading the malware.”

Aside from stealing login credentials, infected machines were also used for crypto mining or as part of a denial of service attack (DoS) on websites.

Radware said it found a total of seven Chrome extensions which contained the malware, including: Nigelify, PwnerLike, Alt-j, Fix-case, Divinity 2 Original Sin: Wiki Skill Popup, keeprivate and iHabno.

The extensions have now been removed from the Chrome Store, researchers confirmed.


Comments are closed.