Large campaigns that are spreading malicious browser extensions are abusing Google Ads and well-known cryptocurrency brands to draw in victims.
Extensions can be installed to add widgets or other functionality to web browsers; they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. This group also includes things such as ad blockers and security scanning – and cryptocurrency wallet/mining/trading shortcuts.
Researchers from MyCrypto recently found several fake extensions that purported to be of use to cryptocurrency users, for offer inside Google’s web store (now removed). In reality, they harvested information that could be used to take over crypto-wallets and drain accounts – specifically, mnemonic phrases, private keys and keystore files, according to the researchers.
To lure victims to their nefarious wares, the extensions impersonated legitimate brands, including Electrum, Exodus, Jaxx, KeepKey, Ledger, MetaMask, MyEtherWallet and Trezor; and were being promoted via a malvertising campaign that takes advantage of Google Ads.
“Whilst the extensions all function the same, the branding is different depending on the user they are targeting,” according to the analysis, published on Tuesday.
If the extensions managed to successfully dupe victims into installing them, they then asked users to sign into their cryptocurrency accounts. Once the credentials were given, the extensions sent an HTTP POST request containing those details to their command-and-control (C2) servers.
Using the example of the fake MyEtherWallet extension, “It looks the same as your typical MyEtherWallet experience until you type in your secrets,” according to the analysis. “After you’ve submitted them, the malicious application sends your secrets back to the server controlled by the bad actor(s) before sending you back to the default view, and then does nothing.”
At that point, users may be frustrated and either re-enter their credentials, or uninstall the extension, “[thus] forgetting about the ramifications of typing their secrets until their wallet is drained of funds — which most likely will be after the extension is removed from the store so they cannot investigate where their security hole was,” explained MyCrypto researchers.
MyCrypto researchers linked a total of 14 different C2s to the malicious extensions, most of which hosted their own infrastructure with custom PHP scripts, according to the firm, and many of them shared commonalities that could suggest the same actor behind them. About 80 percent of the C2s were registered in March and April.
To add an air of legitimacy to the extensions, some of them had significant numbers of fake, five-star reviews with short and to-the-point positive feedback, such as “good,” “helpful app” or “legit extension,” according to the researchers.
“One extension did stand out by having the same ‘copypasta’ around eight times, authored by different users, sharing an introduction into what Bitcoin is and explaining why the (malicious) MyEtherWallet was their preferred browser extension (Note: MEW doesn’t support Bitcoin),” they noted.
Encouragingly, other, legitimate reviews did talk about the extensions being malicious.
An analysis from the MyCrypto dataset suggests that more of these kinds of extensions will continue to pop up. They started to hit the store slowly in February (2 percent of them were published that month); saw increased releases through March (when 34.69 percent were published); and then the campaigns really took off in April (when 63.26 percent of the malicious extensions were published).
“This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially,” according to MyCrypto.
While extensions are useful, they can also introduce danger. In addition to intentionally malicious browser extensions that compromise users, legitimate offerings are also common targets for cybercriminals who look to exploit vulnerabilities in their code. Earlier this year, Firefox and Google banned hundreds of suspicious extensions from their stores.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.