Google has ousted 49 Chrome browser extensions from its Web Store that mimicked as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies.
The long list sum 49 browser add-ons including Ledger wallet, potentially the work of Russian based cybercriminals, were identified (find the list here) by researchers from MyCrypto and PhishFort.
“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files,” explained Harry Denley, director of security at MyCrypto. “Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.” Additionally all of the extensions have the same functionality but their branding changes based on who they are targeting.
Moreover, an analysis suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.
- Ledger — 57% of malicious browser extensions in dataset
- MyEtherWallet — 22% of malicious browser extensions in dataset
- Trezor — 8% of malicious browser extensions in dataset
- Electrum — 4% of malicious browser extensions in dataset
- KeepKey — 4% of malicious browser extensions in dataset
- Jaxx — 2% of malicious browser extensions in dataset
Some of the extensions, Denley said, came with fake five-star reviews, thus increasing the chances that an unsuspecting user might download it.
Data stealing extensions have been a regular occurrence on the Chrome Web Store, leading Google to purge them as soon as they’re discovered. Back in February, the company removed 500 malicious extensions after they were caught serving adware and sending users’ browsing activity to C2 servers under the control of attackers.
If you suspect you have become a victim of a malicious browser extension and lost funds, it’s recommended you file a report at CryptoScamDB.
For Ledger user please bear in mind that only download Ledger Live application through their official site here.