Trend Micro researchers has issued a report about a new malware under the name FacexWorm which tricks the users to click on a link sent to their Facebook Messenger application, and then pay cryptocurrency in order to access content they want to browse.
FacexWorm isn’t new. It was uncovered in August 2017, though its whys and hows were still unclear at the time. Last April 8, however, we noticed a spike in its activities that coincided with external reports of FacexWorm surfacing in Germany, Tunisia, Japan, Taiwan, South Korea, and Spain.
Trend Micro researchers excplained that FacexWorm is a clone of a normal Chrome extension, but injected with short code containing its main routine. The FacexWorm extension automatically redirects users to a page, where they are asked to send a small amount of Ethereum to verify their account.
FacexWorm is delivered through socially engineered links sent to Facebook Messenger. The links redirect to a fake YouTube page that will ask unwitting users to agree and install a codec extension (FacexWorm) in order to play the video on the page. It will then request privilege to access and change data on the opened website.
According to the information from The Cryptograph, Chrome Web Store has taken care of removing the extension, and Facebook banned domains associated with the spam messages.