Google swept the trashy extensions from the Chrome store within 24 hours of getting a heads-up.
They weren’t automatically swept, however, perhaps because the bad actors are only interested in high-value accounts, or maybe because they have to manually sweep accounts.Īlthough the researchers didn’t lose their secrets to the malicious extensions, others have publicly posted about losing funds to the extensions on the Chrome support forum, Reddit and Toshi Times. The researchers sent funds to a few addresses and submitted secrets to the malicious extensions. All of the reviews shared an introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”ĭenley says that one extension – MyEtherWallet – had the same “copypasta”, with the same review posted about 8 times and purportedly authored by different users. Some of these nasty extensions have been rated up by a network of bogus reviewers dishing out fake 5-star reviews. The “drained dry” outcome is likely to happen only after the extension has been removed from the store, meaning that a ripped-off user can’t investigate where their security hole was, Denley said. That results in either a frustrated user who submits their secrets again, or maybe even feeds the malware new secrets or a user uninstalling the extension and forgetting about it until their wallet has been drained dry. The malicious app sends them back to the C2s, then routes the user back to the default view, and then does … absolutely nothing. M圜rypt published the following video to show how a malicious extension targeting MyEtherWallet users works.ĭenley said that the process mimics a typical MyEtherWallet experience, until a user types in their secrets. For one thing, it looks like the crypto wallet raiding campaign could have roots in Russia, given that an admin’s email ends in “r.ru”. One of the servers gave off a few clues about the campaign, if in fact those clues can be taken at face value. That gives researchers some indication of the same backend kit or the same actors running the campaign for most of the extensions. The oldest domain, ledger.productions, is the most interconnected to other servers. Most of the domains are brand new: 80% of them were registered in March and April.
You can see a list of the servers here on his post. While some of them sent the phished data back to a GoogleDocs form, most hosted their own backend with custom PHP scripts, Denley said.
That means they likely had common bad actors pulling multiple servers’ levers. After running fingerprinting analysis on the servers, the researchers found that some of them were linked. M圜rypt identified 14 unique command-and-control servers (C2s) receiving data from compromised systems. On Tuesday, Harry Denley, M圜rypto Director of Security, said that malicious browser extensions aren’t new, but the targets in this campaign are: they include the cryptocurrency wallets Ledger (57% of the bad extensions targeted this wallet, making it the most targeted of all the wallets, for whatever reason), Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.ĭenley said that essentially, “the extensions are phishing for secrets,” including users’ mnemonic phrases, private keys, and keystore files, which are security files used for things like identifying app developers or in SSL encryption.ĭenley said that once a user entered those secrets, the malicious extensions sent an HTTP POST request to the backend, which is where the bad actors got their hands on the secrets and used them to vacuum out wallets. The extensions were discovered by researchers from M圜rypto – an open-source interface for the blockchain that helps store, send and receive cryptocurrency – and from PhishFort, which sells anti-phishing protection. Google has kicked 49 malicious Chrome browser extensions out of its Web Store that were posing as cryptocurrency wallets in order to drain the contents of bona fide wallets.
0 kommentar(er)
