2 min read

49 crypto-wallet pickpocketing browser extensions booted from the Chrome web store

Graham CLULEY

April 16, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
49 crypto-wallet pickpocketing browser extensions booted from the Chrome web store

Hackers have been using Google Ads to target unsuspecting cryptocurrency investors into installing malicious browser extensions, with the aim of stealing passphrases and private keys and draining funds from their wallets.

Harry Denley, a researcher at MyCrypto, has described how he discovered scores of malicious Chrome browser extensions that targeted cryptocurrency wallets from Ledger, Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet, and Trezor.

“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”

Once stolen, the bogus extensions would forward sensitive data entered by the user to servers under the control of the hackers, or a Google form.

Of course, just creating a malicious browser extension that steals your cryptocurrency wallet’s private key and then getting it into the Chrome web store isn’t enough. You also need to drive your potential victims to the extension in the first place.

The attackers were able to do this by purchasing Google Ads directed at those searching for cryptocurrency wallets, such as the one made by Trezor.

According to Denley, some of the extensions had received fake five-star reviews and bogus positive feedback in the Chrome web store in an an attempt to reassure users wondering whether they were safe to install or not:

“Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.””

Mixed amongst the positive feedback there were also legitimate reviews that correctly pointed out the malicious nature of the browser extensions and warned users not to download them.

Complaints about the bogus extensions from users who claim to have lost funds have also appeared on message boards.

The good news is that Denley reported the offending extensions to Google, and they have now been removed from the Chrome web store. The bad news is that they were able to appear there in the first place, and that it was possible for the attackers to purchase Google Ads that directed traffic towards them.

It’s hard to imagine that hacking groups stealing money from cryptocurrency wallets won’t try similar attacks in the future.

Advice for cryptocurrency investors concerned that they might be similarly tricked by a bogus extension includes taking careful note of the permissions that each browser extension requires, and understanding their implications before giving approval.

In addition, you may choose to limit a Chrome browser extension to only working on a particular website, or when clicked upon.

Denley also advises users to consider creating a separate browser user that is used solely for cryptocurrency data:

“This will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.”

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Rackspace customers rage following ransomware attack, as class-action lawsuits filed Rackspace customers rage following ransomware attack, as class-action lawsuits filed
Graham CLULEY

December 09, 2022

3 min read
2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor 2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor
Silviu STAHIE

December 07, 2022

1 min read
Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read