Malicious Google Web Extensions Can Access to Your Cryptowallet

Phishing Scam Uses Fake Google reCAPTCHA

Extensions can be installed to add widgets or other functionality to web browsers; they offer the ability to do everything from setting a special search wallpaper to displaying continuous weather data to language translation. Although extensions are useful, it can also be dangerous. In addition to malicious browser extensions that deliberately disrupt users, legitimate products are also a common target for cybercriminals who want to exploit their code vulnerabilities.

Google has just cleaned up 49 malicious extensions in the Chrome Web Store. It disguised itself as a cryptocurrency wallet application such as Ledger, MyEtherWallet, Trezor, Electrum, but in fact, it would steal confidential information such as the user’s key. These 49 extensions seem to be maintained by the same person or organization, and speculation may be related to malicious extension developers in Russia. If the extensions managed to successfully dupe victims into installing them, they then asked users to sign into their cryptocurrency accounts. Once the credentials were given, the extensions sent an HTTP POST request containing those details to their command-and-control (C2) servers.

Although all extended functions are similar, the details have been changed for different target users. Security researchers pointed out that they identified malicious extensions disguised as known as encrypted wallet applications, such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey. These extensions work much like the original version, but behind the scenes, all the data entered during the configuration process is quietly sent to the server or a Google form specified by the attacker.

In a controlled experiment, the researchers found that malicious extension developers would not immediately steal the victim’s account funds. Obviously, the black hand behind the scenes has a big appetite and just wants to steal funds from accounts with high value. Even so, there have already been cases of theft. Unfortunately, due to the unique nature of most cryptocurrencies, the victim has little hope of recovering any stolen funds. It is expected that there will be a higher outbreak in the next few months, so please be cautious when searching for such extensions in the Chrome Web Store.

LIFARS’ Tabletop Exercises are individually tailored to meet the specific data protection needs of each client. LIFARS experts identify and interview essential personnel to understand your company’s distinct capabilities and existing contingency plans, then use this information to formulate a custom data-breach scenario based on our real-world experience. Simulate cyber emergency incidents to evaluate your organization’s key personnel and processes. During the simulation, we provide your incident response team with the opportunity to hone the practical skills they will need to confront inevitable real-world threats.

Your team will recognize the nature and extent of the data breach, conduct triage to understand the impact to your organization and data, make collaborative decisions about containing the evolving threat, and identify the notifications necessary to satisfy pertinent regulations. A detailed report documenting the event explains our findings and highlights improvements to your cybersecurity and incident response readiness. Typical Tabletop Exercise scenarios include:

  • GDPR Data Breach
  • Business Email Compromise
  • Ransomware Containment
  • Insider Threat
  • SaaS Provider Data Breach
  • Social Media Compromise


Contact LIFARS Immediately For
Mitigating Cyber Risks in Your Organization