Google removes 49 Chrome extensions that hijack cryptocurrency wallets

Google has removed 49 Chrome browser extensions from its web shop that pretend to be wallets for cryptocurrencies but contain malicious code to get confidential information and empty the wallets.

The 49 extensions, possibly the result of the work of Russian operators, have been identified by researchers from MyCrypto and PhishFort. In this regard, Harry Denley, security director at MyCrypto, stated that extensions are essential Phishing Contains mnemonic phrases, secrets, private keys and key storage files.

As soon as the user enters them on their device, the extension sends an HTTP POST request to them Backendand so The attackers receive the data and empty the victims’ accounts.

The malicious extensions were removed 24 hours after they were reported to Google. However, MyCrypto’s analysis shows that they have been displayed in the web shop since February 2020 and will increase in the following months.

All extensions work the same way. The only difference concerns the brands of the cryptocurrency portfolios that were affected by 14 C2 servers (Unique Command and Control) that received the data from the website Phishing. The portfolios include Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey.

With this in mind, it was found that MEW CX, the malicious extension targeting MyEtherWallet, captured the starting words and transmitted them to an attacker-controlled server to empty the victim’s wallet.

However, the money was not stolen from all accounts in this way. The researchers suspect that this could be due to the fact that cybercriminals are only looking for high-quality accounts or that they have to check the accounts manually.

According to Denley, some of the extensions contained false five-star comments, which increased the likelihood of an unsuspecting user downloading them. He added the following:

There was also a network of watchful users who wrote legitimate reviews that the extensions were malicious. However, it’s difficult to say whether they were victims of phishing scams themselves or simply helped the community stop downloading.

Data theft extensions are common in the Chrome Web Store and cause Google to delete them as soon as they are discovered. In February The company removed 500 malicious extensions after they were discovered because it was a Adware As a result, users’ browsing activities were sent to C2 servers under the control of attackers.

If you suspect you have been the victim of a malicious browser extension and have lost money, it is recommended to submit a report on CryptoImageDB.

---

Translated version of Ravie Lakshmanan’s article published in The Hacker News.