Facebook Messenger Distributes Dangerous Malware

May 11, 2018

Facebook would probably really love some positive press right now in light of all the bad press it got and is still getting with respect to the Cambridge Analytica incident. Unfortunately, they are not going to get the props here. Instead, a form of malware that was active last summer is suddenly reappearing and it’s not being nice either. It’s stealing passwords, cryptocurrency, and doing a bit of crypto-jacking too, just for good measure.

Being called FacexWorm by those at Trend Micro, it has these new features that can steal account credentials from websites such as Google and from cryptocurrency sites. It can also perform cryptocurrency scams and perform cryptocurrency mining activities on systems it infects.

In order to do all these deeds, it has to infect a system in the first place. That is done when someone clicks a link in Facebook Messenger that goes to a fake YouTube page. The user is asked to install an extension to play a video.

Of course, you all know by now not to click on links that are unexpected or from unknown persons…especially if they arrive like this one does which is merely from someone on your friend list and with the only text being “video.” What makes this particularly suspicious is that it does ask to install an extension. Just don’t. If you receive anything asking you to install these or plugins, it very well could be, and most likely is malware. All kinds of bad things are being distributed using extensions these days, so if you don’t need to install or have extensions and plugins active, just delete or disable them in your browsers. In most cases, you likely don’t need them.

FacexWorm is dangerous even more so because it has ways to hide itself. If it’s mining cryptocurrency, it only uses 20% of the resources to avoid raising suspicion. It also closes the tab if the extension management tab is opened. These should be clues that something is not right, should you encounter them.

Facebook claims they have mechanisms in place to help stop harmful links from making their way into Facebook and Messenger. If your computer appears to be infected due to something you receive in either of these, they offer to scan your system for free using one of their partners. And you should take them up on it.

Stickley on Security
Published May 8, 2018