2 min read

49 crypto-wallet pickpocketing browser extensions booted from the Chrome web store

Graham CLULEY

April 16, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
49 crypto-wallet pickpocketing browser extensions booted from the Chrome web store

Hackers have been using Google Ads to target unsuspecting cryptocurrency investors into installing malicious browser extensions, with the aim of stealing passphrases and private keys and draining funds from their wallets.

Harry Denley, a researcher at MyCrypto, has described how he discovered scores of malicious Chrome browser extensions that targeted cryptocurrency wallets from Ledger, Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet, and Trezor.

“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”

Once stolen, the bogus extensions would forward sensitive data entered by the user to servers under the control of the hackers, or a Google form.

Of course, just creating a malicious browser extension that steals your cryptocurrency wallet’s private key and then getting it into the Chrome web store isn’t enough. You also need to drive your potential victims to the extension in the first place.

The attackers were able to do this by purchasing Google Ads directed at those searching for cryptocurrency wallets, such as the one made by Trezor.

According to Denley, some of the extensions had received fake five-star reviews and bogus positive feedback in the Chrome web store in an an attempt to reassure users wondering whether they were safe to install or not:

“Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.””

Mixed amongst the positive feedback there were also legitimate reviews that correctly pointed out the malicious nature of the browser extensions and warned users not to download them.

Complaints about the bogus extensions from users who claim to have lost funds have also appeared on message boards.

The good news is that Denley reported the offending extensions to Google, and they have now been removed from the Chrome web store. The bad news is that they were able to appear there in the first place, and that it was possible for the attackers to purchase Google Ads that directed traffic towards them.

It’s hard to imagine that hacking groups stealing money from cryptocurrency wallets won’t try similar attacks in the future.

Advice for cryptocurrency investors concerned that they might be similarly tricked by a bogus extension includes taking careful note of the permissions that each browser extension requires, and understanding their implications before giving approval.

In addition, you may choose to limit a Chrome browser extension to only working on a particular website, or when clicked upon.

Denley also advises users to consider creating a separate browser user that is used solely for cryptocurrency data:

“This will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.”

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read