Google has now reportedly removed no fewer than 49 malicious cryptocurrency Chrome Extensions from its browser after it was discovered those were stealing users’ data. Discovered by Harry Denley, Director of Security at the MyCrypto platform, each of the extensions mimicked real cryptocurrency wallets. That includes some relatively well-known wallets from the likes of Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.
All of the extensions appear to be the handiwork of a single group or individual operating out of Russia. As a result, each effectively functioned the same way under-the-hood. But each was also designed to ensure they looked and worked the same as the legitimate apps they mimicked. The goal here was presumably to ensnare users of the above-mentioned companies’ solutions.
Buried in the code behind the extensions, the bad actor included lines that were designed to steal crypto-wallet mnemonic phrases, Keystore files, and private keys.
These malicious Chrome extensions didn’t necessarily impact every cryptocurrency user
The Chrome extensions have been pulled but testing performed suggests that the targeting was deeper here too. Mr. Denley tested the extensions with test credentials for a cryptocurrency account and the funds weren’t stolen right away. When the credentials and other details are entered, they are sent to one of the attacker’s servers or a Google Form.
So the malicious extensions weren’t necessarily stealing just any and all funds from compromised accounts. The implication, according to the security director, is that only high-value accounts were likely being targeted.
Conversely, the attacker or attackers behind the malicious extensions may not be aware of how to automate the process. If that’s the case, they may have been targeting high-value accounts as a matter of necessity since those would need to be accessed manually.
Users need to protect themselves since other extensions could still crop up
Now, at least some of the extensions in question were highly-rated from what appears to be fake reviews. In those cases, the reviews were either short and not helpful or were copied and pasted multiple times. Reviews were also posted to those that marked the extensions out as being malicious. The nature of the extensions should have been fairly obvious.
Reading reviews is just one way that users can keep themselves safe when it comes to extensions. Particularly since no preemptive measures put in place by Google or on other web markets are necessarily going to stop malicious extensions from cropping up.
Mr. Denley suggests that users should protect themselves well beyond that too. Especially since the bad actor or actors here haven’t been caught. So more extensions could easily crop up.
Users should also familiarize themselves with the permissions required by each extension. Those can be found by navigating to the extensions, found at “chrome://extensions/” and then clicking the “Details” tab on a given extension. Extensions that have permissions that go beyond the necessary scope of their functionality should be removed.
Furthermore, it’s a good idea to only use extensions that operate only on specific domains or sites. That’s as opposed to extensions that are running on all visited websites. Better still, users should limit themselves to extensions that only work when they’re clicked.
When it comes to cryptocurrencies and related data, the security director suggests using a separate browser for that. Doing so, he suggests, will limit the attack surface as well as limiting it to those accounts.