A malicious Chrome browser extension is stealing your digital coins

Pierluigi Paganini April 25, 2014

A user raised an alert on Reddit, on the presence of a malicious Chrome browser extension, on the official store, that is able to steal digital coins.

Security experts have recently observed a significant increase for the number of malicious browser extensions, malware authors are exploiting the usage of browser addons to conduct illicit activities. Today we discuss about a new browser extension of Google Chrome, dubbed Cryptsy Dogecoin (DOGE) Live Ticker, that according security community is targeting crypto currencies schema. The browser extension was designed by cyber criminals to steal Bitcoins and other crypto coins.

Malware authors with increasing frequency are targeting crypto currency users, the trend is motivated by the desirable value of the digital coins and by the simplicity to arrange malicious campaigns targeting them.

The alert was raised by user on Reddit which observed that the browser extension on the store extension include a malicious code designed to target and hijack the crypto currency transactions.

malicious chrome browser extension
The malicious Chrome browser extension is available on the official Chrome Web store for free downloads, it was issued by “TheTrollBox” user.
“If you use any extensions in your browser, you’re vulnerable to updates which happen automatically without your knowing. This means you can be using it for weeks/months until the bad author updates the addon/extension with malicious code. It appears the author made an update today to steal Ð among other digital currencies 🙁 The extension is Cryptsy Dogecoin (DOGE) Live Ticker There is likely similar tickers for other currencies. “
The Chrome browser extension specifically targets crypto-currency community, once downloaded and installed by the user, it monitors victim’s web activity, monitoring user’s access to Cryptocurrency exchange sites such as Coinbase and MintPal. Once the browser extension detects that the victim is performing a virtual currency transaction, it silently modifies the parameter of the transaction. The malicious browser extension in fact replaces the receiving address with the one manage by the attacker.
The unpleasant experience happened to the Reddit user that promptly launched the alert after receiving confirmation from MintPal of a withdrawal made by the browser extension.
The author of the malicious Chrome browser extension has also developed 21 more similar extensions, all available in the Google Chrome Store. It is strongly suggested to review their code and anyway to track this user. The extensions are:
What can you do to protect yourself against it? 
“Use Chrome without extensions whenever dealing with bitcoins online. Either start Chrome with chrome –disable-extensions, or use private mode (check carefully that all extensions are disabled in private mode).
When viewing a recipient’s bitcoin address on screen, check the source code of the page to see if it shows exactly the same address. In Chrome, press CTRL+U and look for the address. A code inspector (e.g. the one that opens by pressing F12) won’t work since it shows you the code including changes made by Javascript after having loaded the page.”

Pierluigi Paganini

(Security Affairs –  Chrome extension, malware, Bitcoin)


you might also like

leave a comment