Contact UsWDN News & more...

7 Chrome Extensions Spreading Through Facebook Caught Stealing Passwords


Luring users on social media to visit lookalike version of standard websites that pop-up a reliable-taking a scrutinize Chrome extension set up window is one in every of doubtlessly the most in model modus operandi of cybercriminals to unfold malware.

Security researchers are all all over again warning users of a new malware advertising and marketing and marketing campaign that has been active since no longer no longer up to March this year and has already infected more than 100,000 users worldwide.

Dubbed Nigelthorn, the malware is swiftly spreading through socially engineered links on Facebook and infecting victims’ systems with malicious browser extensions that resolve their social media credentials, install cryptocurrency miners, and buy them in click fraud.

The malware was as soon as pushed through no longer no longer up to seven varied Chrome browser extensions—all were hosted on Google’s legit Chrome Web Store.

These malicious Chrome browser extensions were first realized by researchers at cybersecurity firm Radware, after a “successfully-stable community” of one in every of its possibilities, an unnamed world manufacturing firm, got compromised.


According to a report published by Radware, the malware operators are the assert of copies of reputable Google Chrome extensions and injecting a short obfuscated malicious script into them to avoid Google’s extension validation checks.

Researchers named the malware “Nigelthorn” after one in every of the malicious extensions which was as soon as the copy of standard ‘Nigelify’ extension designed to modify all photos on an online content with gifs of ‘Nigel Thornberry.’

Nigelthorn Propagates By Links Sent Over Facebook

Nigelthorn is spreading through socially engineered links on Facebook, which if clicked redirects victims to counterfeit YouTube page, asking them to acquire a malicious Chrome extension, to continue playing the video.

Once set up in, the extension executes a malicious JavaScript code that makes victims’ computer systems allotment of a botnet.

A identical malware, dubbed Digimine, emerged final year that moreover worked by sending socially engineered links over Facebook Messenger and set up in a malicious extension, permitting attackers to acquire admission to the victims’ Facebook profile and unfold the identical malware to their company’ checklist by project of Messenger.

We no longer too prolonged ago wrote about every other identical malware advertising and marketing and marketing campaign, dubbed FacexWorm, that was as soon as moreover dispensed by sending socially engineered links over Facebook Messenger and redirected users to counterfeit YouTube page, asking them to put in a malicious Chrome extension.

NigelThorn Steals Password for Facebook/Instagram Accounts

The brand new malware majorly specializes in stealing credentials for victims’ Facebook and Instagram accounts and gathering shrimp print from their Facebook accounts.

This stolen recordsdata is then feeble to ship malicious links to company of the infected particular person so that you just can push the identical malicious extensions additional. If any of these company click on the link, your whole infection project starts over all all over again.

NigelThorn moreover downloads a publicly available, browser-essentially based cryptocurrency mining tool as a plugin to position of abode off the infected systems to delivery mining cryptocurrencies, including Monero, Bytecoin or Electroneum.

Over the duration of merely 6 days, the attackers perceived to generate roughly $1,000 in cryptocurrencies, mostly Monero.

Nigelthorn is moreover power as to stop users from placing off the malicious extensions, it automatically closes the malicious extension tab at any time when the user opens it prevents elimination.

The malware moreover blacklists a unfold of orderly-up instruments offered by Facebook and Google and even prevents users from making edits, deleting posts and making comments.

List of Malicious Chrome Extensions


Right here’s the name of all seven extensions masquerading as reputable extensions:

  • Nigelify
  • PwnerLike
  • Alt-j
  • Fix-case
  • Divinity 2 Usual Sin: Wiki Skill Popup
  • Keeprivate
  • iHabno

Even supposing Google has removed the whole above-listed extensions, if you be pleased got set up in any of them, you are knowledgeable to without lengthen uninstall it and exchange passwords to your Facebook, Instagram and apart from for other accounts the put you’re the assert of the identical credentials.

Since Facebook Spam campaigns are rather popular, users are knowledgeable to be vigilant when clicking on links and recordsdata supplied by project of the social media pickle platform.