Hackers have been using Google Ads to target unsuspecting cryptocurrency investors into installing malicious browser extensions, with the aim of stealing passphrases and private keys and draining funds from their wallets.
Harry Denley, a researcher at MyCrypto, has described how he discovered scores of malicious Chrome browser extensions that targeted cryptocurrency wallets from Ledger, Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet, and Trezor.
“Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”
Once stolen, the bogus extensions would forward sensitive data entered by the user to servers under the control of the hackers, or a Google form.
Of course, just creating a malicious browser extension that steals your cryptocurrency wallet’s private key and then getting it into the Chrome web store isn’t enough. You also need to drive your potential victims to the extension in the first place.
The attackers were able to do this by purchasing Google Ads directed at those searching for cryptocurrency wallets, such as the one made by Trezor.
According to Denley, some of the extensions had received fake five-star reviews and bogus positive feedback in the Chrome web store in an an attempt to reassure users wondering whether they were safe to install or not:
“Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.””
Mixed amongst the positive feedback there were also legitimate reviews that correctly pointed out the malicious nature of the browser extensions and warned users not to download them.
Complaints about the bogus extensions from users who claim to have lost funds have also appeared on message boards.
The good news is that Denley reported the offending extensions to Google, and they have now been removed from the Chrome web store. The bad news is that they were able to appear there in the first place, and that it was possible for the attackers to purchase Google Ads that directed traffic towards them.
It’s hard to imagine that hacking groups stealing money from cryptocurrency wallets won’t try similar attacks in the future.
Advice for cryptocurrency investors concerned that they might be similarly tricked by a bogus extension includes taking careful note of the permissions that each browser extension requires, and understanding their implications before giving approval.
In addition, you may choose to limit a Chrome browser extension to only working on a particular website, or when clicked upon.
Denley also advises users to consider creating a separate browser user that is used solely for cryptocurrency data:
“This will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.”