New Phishing strategy to Steal your Cryptocurrency – Nasty Chrome Extensions

Chrome extensions are small software programs that let you customize the browsing experience and build powerful tools that help solve problems right inside your web browser. In contrast, they are nothing but web pages built on web technologies such as HTML, JavaScript, and CSS.

Any tool that is powerful enough to do good, can be misused as well. Here come the malicious chrome extensions.

Did you know you can build a chrome extension that can modify a website’s HTML or CSS, Steal passwords, Steal CPU power? Yes, Malicious chrome extensions can do all sorts of evil things including phishing.

Such nasty Chrome extensions have been around since a long time, stealing critical user data and engaging victims in click fraud.

However, according to the recent hack of Hola VPN service, wherein hackers compromised their free VPN chrome extension and tricked myetherwallet.com users into giving up their login details, It is evident that Hackers are now using chrome extension to Phish cryptocurrency wallet credentials or private keys of users using online wallet services.

Popular cryptocurrency wallet providers like myetherwallet.com make it easy for you to access your wallet on the web using a wallet password like Private Keys, Keystore Files, and Memnomic Phrases. Certainly, this is a very powerful feature, but also potentially dangerous, because each user is responsible for the secrecy of their own passwords or Memnomic Phrases.

If a hacker can trick you into sharing those Memnomic Phrases, they can steal everything from your accounts. And since there is too much room for end-user error, It is always recommended to use either hardware-based wallets or beware of all the possible ways you could get pwned.

New Phishing Strategy – Compromised chrome extensions

In recent times, Hackers have stolen between $152,000 and $365,000 worth of Ether coins from users of the popular cryptocurrency wallet provider, myetherwallet.com by redirecting them to a phishing website. The hackers were able to break into the DNS server at an ISP, replace genuine website address to a phishing site and carry out mass phishing attack on those users.

Another common phishing technique used by hackers to steal cryptocurrency wallet keys involves spreading fake token sale or airdrop programmes across social media sites which redirect users to a legitimate-looking phishing site.

As if this was not enough, Hackers are now phishing cryptocurrency wallet users by compromising popular extensions that are being normally used by such users.

New Phishing strategy to Steal Cryptocurrency

For example, Look at Hola VPN Hack. Hackers were well aware of the fact that most crypto users use VPN to maintain anonymity. All they did was, compromise Hola VPN’s Google Chrome Store account and upload a modified version of the extension to the store. Any new potential user who looked up for free VPN extension unknowingly installed this dummy extension.

Now imagine, What if these crooks build a nice useful chrome extension that is specifically made for the crypto world, Like a tool that quickly lets you check cryptocurrency prices or maybe some other crypto related deets.

With this, they also bind evil code that will inject javascript to perpetrate phishing attacks. All they have have to do is advertise or push this chrome extension to potential crypto users.

Phishing attacks are perpetrated through a variety of channels, and hackers are only getting more sophisticated day by day.

How Javascript injection with chrome extension works?

The essence of Javascript Injection is to inject the Javascript code, that will be run from the client-side i.e on the users web-browser.

With JS Injection a malicious user can modify or change the displayed website‘s information, insert new website elements like a pop-up screen, or manipulate the parameters like cookies bringing some serious website damages, information leakage and even hack.

Primarily, JS Injection is perpetrated through various website’s element like forum posting, article‘s comments fields or any other forms where text can be inserted. Nevertheless, it can be also committed using chrome extensions.

Google Chrome extensions provide a way out to execute or run our own scripts into a web page via “Content-scripts”. Not only scripts but we can also inject our own stylesheet.

“Content-scripts” are JavaScript files that run in the context of a web page. “Content-scripts” can read and manipulate DOM (Document Object Model) of any web pages the browser visits.

Before we go ahead, make sure you know the basic anatomy of chrome extensions.

Take a look at the following “content_scripts” snippet:

"content_scripts": [
{ "run_at" :"document_end",
"matches": ["https://myetherwallet.com*"],
"js": ["jquery-2.2.4.min.js","script.js"],
"css":["css/custom.css"] }
]

Here, “jquery-2.2.4.min.js”, “script.js” & “custom.css” are the files we have defined as “Content-scripts”.

The “run_at” tells the extension when to execute our script with options of “document_start”, “document_end” and “document_idle”.

This particular Content-script will inject the scripts we mentioned as soon as the web-page URL matches with that of https://myetherwallet.com. Otherwise one can also make the script work in more than one or all pages and tabs.

The Javascript file “script.js” contains snippets for HTML elements and corresponding style information is saved into a separate file called “custom.css”.

Upon execution of the above scripts, the extension will insert a new HTML element into the web-page. Essentially the HTML element being a Popup window that asks or tricks the user into sharing wallet details like private keys or recovery phrases.

The Injected scripts behave as if they were included by the page itself. Take a look at this popup impersonating active MetaMask session:

phishing wallet private keys and recovery phrases

The pop-up interface asks the user to enter their wallet seed words. This form then sends the seed words up to a private server, and presumably, the funds are drained from all of that user’s accounts.

How to protect my wallet against hackers?

The internet is a minefield, and traps can be set on any message you receive or site you visit. This guide advocate for best practices to prevent phishing attacks on your cryptocurrency wallet.

One of the easiest practice to keep your cryptocurrency safe is, of course, using a cold storage wallet or Hardware wallet. Get yourself a Ledger or TREZOR Hardware wallet that will cost you less than $100. However, if you do not wish to buy a cold storage wallet, follow these security tips below to keep your digital fortune safe.

  1.  Always Bookmark your crypto sites and use those bookmarks ever after.
  2.  Always log in to your crypto sites in an incognito mode of your Web browser, where code injection is not possible.
  3.  Never trust any social media message or URLs – Don’t ever fall for messages that say you can get free ETH. Always verify information with a secondary source.
  4.  If you do not wish to use incognito mode, Install EAL or Cryptonite to warn you if you go to a malicious website.
  5.  Don’t ignore SSL certificate warnings: Having simple SSL certificate (i.e just https) in the URL doesn’t make the website legitimate. Always look for “Extended Validation SSL encryption”. Sites using “Extended Validation SSL encryption”, generally have their company name that precedes https. It is a security feature put in place to verify that the website is actually served by the company it claims to be from.
  • SHARE