The Chrome Web Store is the official outlet for Chrome extensions and the safest place to obtain them, as demonstrated by the fact that security firm TrendMicro recently found a malware called FacexWorm embedded in an extension that’s been making its way around Facebook. The extension in question is called Koblo, and it’s capable of stealing your Facebook credentials, among other information, with ease. Essentially, given installation and full permissions, this extension can steal just about any login you enter into Chrome, potentially culminating in full-on identity theft. Koblo currently seems to be the only extension with this particular strain of malware making the rounds, but it’s not unreasonable to think that there are probably others, which means that users should exercise caution and only install extensions from the Chrome Web Store. Even that solution, of course, is far from perfect.
The extension in question masquerades as a sort of codec add-on for Chrome that will allow users to watch a video that’s attached to a Facebook message. Once it’s installed, your Facebook credentials are the easiest pickings, since you’re almost guaranteed to be logged onto that page at the moment. Once it has those, it spreads itself by sending messages to any of your friends who happen to be online and active. Just like the one you received, this message will contain a link to a video, which will prompt your friends to download the extension. The cycle repeats if any of your friends fall for it. Facebook seems to be the primary distribution method for this malware right now.
Though Chrome does not allow direct access to your database of stored passwords in most cases, if you enter your login information and log onto a site while the extension is active, it can steal those credentials by intercepting them. This makes the FacexWorm malware extremely dangerous, and makes it entirely possible that it could spread beyond Facebook. This malware was first found in August of 2017, and has been relatively quiet until its recent transformation. Its previous form lacked the ability to steal credentials outside of Facebook, making this version far more dangerous.