Another day, another malware scam – In the latest, 49 security extensions on Google Chrome have been found to be engaging in malicious activities under the pretext of being cryptocurrency wallets.
Discovered by researchers from PhishFort and MyCrypto, these extensions contained malware that was being used to steal confidential information involving the private keys of wallets, seed phrases that are used for retrieving a lost wallet and Keystore files.
It is worth noting that cybercriminals behind this attack are using Google Adwords to spread the scam. Google Adwords is an online advertising service that lets users pay Google to display advertisements on prominent slots during its search engine results.
For instance, if the user does a Google search using the term “Download Antivirus,” the top slot will display related results. In some cases first four search results display ads paid by people or companies to get quick sales or traffic.
A similar technique was observed in December 2017 when HackRead.com identified fake Chrome browser download through Google Adwords and Google Drive.
As for the latest, the malware works in a way that as the data is received, “the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts”, explains Harry Denley of MyCrypto.
Furthermore, the malware used 14 unique C2 servers with some sending the collected data back to GoogleDocs while the majority “hosted their own backend with custom PHP scripts.”
The extensions believed to be the work of Russian hackers initially surfaced in February with 2.04% published then, 34.69% published in March and 63.26% published in April pointing towards an increasing trend over the months.
When the researchers reported their findings to Google, they were removed within 24 hours. However, since they had been active for a couple of months, they may have caused significant damages.
Delving into the specifics, according to the researchers’ blog post, these extensions were imitating the following cryptocurrency wallet brands:
- Ledger – 57% of all extensions
- MyEtherWallet – 22% of all extensions
- Trezor – 8% of all extensions
- Electrum – 4% of all extensions
- KeepKey – 4% of all extensions
- Jaxx – 2% of all extensions
- MetaMask & Exodus – 3% of all extensions
The above video demonstrates attack being carried out by an extension named MEW CX on a MyEtherWallet with Harry explaining,
It looks the same as your typical MyEtherWallet experience until you type in your secrets. After you’ve submitted them, the malicious application sends your secrets back to the server controlled by the bad actor(s) before sending you back to the default view, and then does nothing…
This leads to the funds being stolen although not from every single account. There’s no confirmation as to why only selective accounts are targeted but possibilities are that the attackers may only be interested in accounts with a substantial amount of money or may not have the time to “sweep” all accounts as they may have to do it manually.
As is the case with such extensions usually, these too were accompanied by low-quality fake reviews with words such as “helpful app” to pump up user ratings. On the contrary, legitimate reviews by informed users were also found who warned others of the scam.
To conclude, we also covered a similar incident back in February on HackRead.com when over 500 Chrome extensions were removed due to the illegal exfiltration of data being carried out. Hence, this represents an ongoing security problem that Google needs to tackle to secure its users.
As users, you could be more careful about the permissions granted to extensions and read user reviews like Sherlock before you decide to trust one. Simple measures but very effective nonetheless.