How cryptocurrency is killing the 'money mule'

Register now

A new strain of malware that targets cryptocurrency users — but not users of mainstream payment options like bank accounts — highlights how much the cybercrime game is changing behind the scenes.

The security firm Trend Micro has discovered a new variant of a malware family called FacexWorm that uses various means to steal a user’s cryptocurrencies. It's an odd target — though increasingly popular, cryptocurrencies are still very small compared with traditional payment methods, and it makes little sense for a malware author to focus on a payment method that few people use. Wouldn’t it be more profitable to target popular banks or PayPal?

The reason for this focus on cryptocurrencies, in which FacexWorm is hardly unique among malware, is that they are much easier to steal. To remove funds from a bank account, one needs another bank account to transfer the funds to and using your own account more or less guarantees you a visit from your local police force.

Cybercriminals have long relied on middlemen, often called money mules, who are tricked into receiving funds into their account and then use a more or less anonymous money transfer to send the money, minus a fee, to the criminals.

While profitable, such an operation is difficult to run, if only because the money mules regularly need to be replaced after they are identified by banks or police. The relative anonymity of cryptocurrencies allows the criminals to get the virtual money transferred directly into their own wallets, thus taking out the middlemen.

So even while cryptocurrencies may not attract the interest from more than a small minority of people, their anonymity and ease of use — as well as possibly the fact that users are less familiar with the various scams out there — makes them very attractive for many an online criminal.

The FacexWorm malware runs as an extension to Google’s Chrome browser and spreads by Facebook Messenger. A victim receives a message with a link to a video that the browser tells them requires a "codec extension" to play. However, the unwitting user ends up installing malware that injects codes into websites that uses up to 20 percent of the computer’s CPU power to mine a cryptocurrency.

While these activities are relatively harmless for the victim, other things the malware does are not. When they attempt to visit one of 52 cryptocurrency trading platforms, users are redirected to a site serving a variant of the common scam where they are enticed to send a small amount of cryptocurrencies with the promise of a tenfold return.

For example, the malware injects codes into websites that uses up to 20 percent of the computer’s CPU power to mine a cryptocurrency, a popular if not particularly profitable way for illicit actors to make money. The malware also attempts to make money by sending the user to various referral schemes.

The malware also steals credentials for Google and two popular cryptocurrency-related websites, MyMonero and Coinhive, and perhaps most worryingly it replaces the cryptocurrency trading address of many platforms with one one controlled by the attackers.

In this particular case, Google responded quickly and removed the extension; the crooks hadn’t made more than a few dollars’ worth of digital currency before they were stopped.

For reprint and licensing requests for this article, click here.
Cryptocurrencies Personally identifiable information Financial crimes Payment fraud