Browser Extension Steals Bitcoin from Unsuspecting Users

Recently, a blogger had posted information regarding a malicious browser extension, pretending to be a “Blockchain Cashback Service”. The project explains to users that it will return money on specific  transactions. However, the project rather turned out to be a complete scam. The extension would steal login information and cryptocurrency wallet data.

Since it’s launch in December, 2018, the attackers have managed to steal 23 bitcoin ($80,500 USD). The extension has since been removed from the Google Chrome store.

How did it work?

The extension would steal your cryptocurrency login secrets based on which domain you were currently visiting. One of the first users reported that, after installing the extension, he was asked for permissions by Google Chrome, to access and write local data for domains such as Binance, Coinbase, and LocalBitcoins. The malware would steal a variety of information, based on which domain the user is currently using. For Coinbase, it would steal a users login information, 2FA codes, cookies, and then would attempt to automatically steal the users crypto assets.

This is Real CryptoJacking, and it’s Scary

We’ve previously talked about how the word “CryptoJacking” was being thrown around by unprofessional netsec authors and antivirus companies to scare users. Such as the websites Coinhive.com, and Crypto-Loot.com, browser-based miners deemed as “malware” by amateur authors. The buzzword for these browser miners were “CryptoJacking” throughout all of 2018. With that said, all these services would do would help a webmaster earn more profits by allowing their users to mine cryptocurrencies such as Monero or uPlexa for a profit. The idea is to provide an alternative to advertisements, and privacy invading corporations. How can we take anybody seriously who classifies such services as malware, or “CryptoJacking”?

On the other hand, we have real “CryptoJacking” going on, resulting in users LOSING their crypto assets, fiat money to real-world scams, ie. “CryptoJacking”. It’s hard to know who to trust these days. There’s one thing for certain, it’s not the Network Security industry…