Researchers at Radware, a cybersecurity firm, have uncovered what they describe as a number of malicious Chrome extensions, which were available for download at the official Chrome Store.
They say the extensions have been deployed by hackers to steal log-ins, engage in cryptomining, and carry out click fraud campaigns.
Chrome, the popular browser owned by Google, has an estimated 1 billion users worldwide.
“This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension – the ‘Nigelify’ application,” the company wrote on its blog.
The researchers believe the group behind the malware has been active since March and, to date, has infected more than 100,000 users in more than 100 countries.
Clever group of hackers
“Facebook malware campaigns are not new,” the researchers said. “Examples of similar operations include facexworm and digimine, but this group appears to have been undetected until now thanks to the campaign consistently changing applications and the use of an evasive mechanism for spreading the malware.”
The malware sends unsuspecting victims to a fake YouTube page and asks the user to install a Chrome extension to play the video. If the user clicks “add extension,” the action installs the malicious extension, making the device part of the hackers' botnet army.
To become infected, users must have followed instructions to add extensions to view a YouTube video.
Users of infected computers are eventually redirected to Facebook, where the malware steals the users' log-in information. So far, the Radware researchers believe the threat only affects Chrome users.
Denial of service attacks
Once the infected computer is under control of the hacker group, it can be used to carry out a number of nefarious activities. It can be part of a massive denial of service (DOS) attack on major institutions and websites.
It can also be used to mine crypto coins, since that process requires significant amounts of processing power. Using hundreds, or even thousands of infected computers, hackers can carry out a remote, but highly profitable, cryptomining operation.
The researchers say the malware has several ways it can stay persistent on the machine and ensure its activities on Facebook are persistent. If the user tries to open the extensions tab to remove the add-on, the malware closes it and prevents removal.
Radware says it found a total of seven compromised extensions and says all have been removed from the Chrome store and infected browsers.