Google has recently removed dozens of fake Chrome extensions from the Chrome store. These extensions were malicious since they targeted crypto wallets to steal keys.
Fake Chrome Browser Extensions
According to ZDNet, Harry Denley of MyCrypto observed numerous browser extensions with malicious behavior on the Chrome Store. As per his findings, these fake Chrome extensions stole keys from crypto wallets.
Sharing the details in a post, Denley explained that he found 49 different Chrome extensions using malicious impersonation. They targeted crypto wallets: Ledger, Trezor, Electrum, Jaxx, KeepKey, Exodus, MyEtherWallet, and MetaMask. , among these Ledger emerged as the most-targeted crypto wallet.
Regarding how the extensions worked, researchers stated,
The extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.
The following video demonstrates how an extension targeted MyEtherWallet.
The researcher observed that the attack would not begin right away. Rather, the attacker behind the extensions tended to wait. After pilfering the details, the attackers would start withdrawing funds from the victim’s wallets after the user would uninstall the extension out of frustration.
Google Removed Malicious Extensions
Upon discovering these malicious extensions, the researchers collaborated with Google. Following the reports, Google removed the extension within 24 hours.
However, the purportedly Russian attacker behind this campaign remains at large. Thus, the threat for the re-emergence of such malicious extensions on the Web Store still exists.
Most crypto wallets targeted in this campaign have previously made it to the news for various cybersecurity incidents. Thus, the present attack continues the trail of crypto scams, reiterating the need for wariness while dealing with cryptocurrency.
Researchers advise users to use a separate browser for cryptocurrency data to limit the scope of attack surface. Also, they recommend users to review the permissions asked by different extensions, and get rid of any extension that asks for unnecessary permissions.
Let us know your thoughts in the comments.