Well, as we motor into today’s weekend,  one thing is for sure:  We will probably be using our social media tools more to plan out our weekend activities, and for communicating with family and friends.  There is no doubt that the likes of them have for sure received their fair share of news headlines, most of them of them in the negative.

But in my view, this is rightfully so.  True, we have to protect our own accounts and watch carefully whom with we interact with, but these social media sites also have a responsibility to the public and most importantly, their end user base of whom we depend upon to help ensure our security as well.

But, it should come to of no surprise once again that as we close out the week, that Facebook is yet once again making news headlines.  No, not on CNN, or CNBC, but rather in the hacking world.

Let’s examine this further.  The issue at hand is what is known as a “Chrome Extension”.  Yes, we all have heard of Chrome, it is the very popular web browser made available by Google.  In fact, I use it quite extensively, and have vowed to myself, as far as possible, never to use Microsoft Edge ever again.  So, what exactly is a “Chrome Extension”?  It can be defined as follows:

“Extensions are small software programs that customize the browsing experience. They enable users to tailor Chrome functionality and behavior to individual needs or preferences. They are built on web technologies such as HTML, JavaScript, and CSS.”

(SOURCE:  https://developer.chrome.com/extensions).

Many times, these Chrome based extensions are small pop ups that appear as you surf the web using Chrome.  For the most part, you know that these pop ups are safe, because you have actually downloaded and installed the Chrome extension to make them appear.

It is important to note that these kinds of pop ups are not the same as those pop ups that just appear at willy nilly on your web browser – these are the unsafe and malicious kind.

But yet once again, Cyber attackers are taking advantage of even this, and even creating fake Chrome extension pop ups in an effort to ensnare web surfers to visit phony sites, which look like the real thing.  In a way, this is very much like a Phishing scheme; but rather than getting an e-mail message, you are getting a phony pop up.

In fact, the latest malware to infect legitimate Chrome extensions is known as “NigelThorn”, and since its introduction in March, it has already infected some 100,000+ users worldwide.  But this one likes to especially prey on Facebook, and infect systems with malicious Chrome extensions that steal their social media credentials, install cryptocurrency miners, and engage them in click fraud.

Current research has shown that NigelThorn was sent through at least seven different types of Google Chrome extensions – all of which could be downloaded from Google’s official Chrome Web Store.  Apparently, NigelThorn makes use of legitimate Chrome Extensions and injects a specific piece of malicious code into them which  even bypasses that of the Google’s extension validation and security checks.

At the present time, NigelThorn is making its way through Facebook primarily, and the end user is prompted to click on a fake YouTube link.  From there, they are then prompted to download a Chrome Extension if they wish to continue to watching that particular video.  Once this happens, a malicious piece of a JavaScript code is then installed onto the end user’s computer, which then makes them a part of a much larger “botnet”.  NigelThorn is also making its on Instagram, and from there, once an a subscriber clicks on a phony link,  personal account information is then stolen.  From there,  malicious links are then sent to other friends of the infected person in an effort to push the same malicious extensions even further. If any of those other friends click on the link, the whole infection process starts over again, and thus, keeps repeating itself.

Even worst yet, NigelThorn even makes use of the Chrome Extensions in order to start maliciously  mining for cryptocurrencies, which include the likes of  Monero, Bytecoin, and  Electroneum.  In just less than one week, approximately $1,000 in cryptocurrencies, mostly Monero.

If an end user tries to uninstall any of these particular Chrome Extensions, that tab will also close automatically, thus making it that more difficult to remove NigelThorn. Even worst, NigelThorn also disables the clean-up tools that are offered by Facebook and Google.

The following are seven Chrome Extensions which have been affected by NigelThorn:

  • Nigelify
  • PwnerLike
  • Alt-j
  • Fix-case
  • Divinity 2 Original Sin: Wiki Skill Popup
  • Keeprivate
  • iHabno


(SOURCE:  https://thehackernews.com/2018/05/chrome-facebook-malware.html)


It is important to note that Google has removed all of these above mentioned Chrome Extensions from its store.  They also advise to keep changing your Facebook and Instagram passwords on a regular basis (YUKKK – in this case, get a Password Manager).  What can you do stay safe?  It’s just comes down to trusting your gut – if a link from a pop up appears from a Chrome Extension just simply does not look or feel right, then DON’T CLICK ON IT!!!