Google Removes 49 Phishing Chrome Extensions
Google recently removed 49 phishing Google Chrome web browser extensions after receiving reports about their activity.
Director of Security at Cryptocurrency Wallet startup MyCrypto, Harry Denley, explained in an April 14th post on Medium how he got the extensions removed from the Google Chrome Webstore within 24 hours with the help of cybersecurity firm PhishFort.
The extensions which were removed included ones that targeted owners of hardware wallets procured by the following:
Users of software wallets by the following were also targeted:
The extensions triggered the users to enter the credentials required to access the wallet — such as helpful phrases, private keys and Keystore files — and sent them to bad actors.
Hackers were then able to withdraw the crypto assets held in the wallets.
Some of the extensions also had fake five-star ratings in the Chrome extension store, but the reviews carried little to no info ranging from “good,” “helpful app” to “legit extension.”
One of the extensions reportedly had the same review copied and pasted eight times by different users. The copypasta incorporated an introduction to Bitcoin and explained why MyEtherWallet — the extension’s targeted wallet — was the preferred wallet option. It is worth noting that MyEtherWallet does not actually support Bitcoin.
One bad actor mastered most extensions
The investigation revealed 14 control servers behind all the extensions, but fingerprinting analysis showed that some of the servers were controlled by the same bad actors, with the oldest domain being linked to many other control servers. Denley subsequently concluded that the same bad actors were behind most of the extensions.
Some of the domains used in the phishing campaigns were moderately old, but 80% of them were registered in March and April 2020. Most of the extensions were published on Chrome’s store this month.