Harry Denley, the Director of Security for MyCrypto platform, discovered a malicious Chrome browser extension that claims to help its users manage cryptocurrency, but actually steals crypto wallet private keys and passwords for several cryptocurrency management websites. The extension, named “Shitcoin Wallet,” is able to carry out its tactics by injecting JavaScript code on webpages. The extension can affect users in multiple ways. Any funds that are handled within the extension are put at risk because the private keys for the wallets are sent to a third-party site with the domain erc20wallet[.]tk. The extension can also steal login and private key data and send them to the same site when users visit five different crypto management platforms by actively injecting malicious JavaScript code. When the original article was published, the extension could still be found on the Chrome Web Store. The team responsible for the extension would not respond for comments regarding the situation. It is not yet clear whether the extension was modified by a third-party attacker to include the malicious code or if the browser extension was originally designed to steal information.
Analyst Notes
Downloading unfamiliar or unverified extensions from the Chrome Web Store can cause a risk to users. It is important to check out extensions or apps before they are downloaded and make sure they’re coming from a trusted source and a reputable developer. Enterprise IT administrators should consider controls to limit or audit the installation of browser extensions on corporate computers. Browser extensions can potentially access any information that employees type into web pages and steal sensitive information, sending it directly to an attacker’s external website.
Source: https://www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/
