On April 14, it has been reported that Harry Denley, the Director of Security at MyCrypto, the cryptocurrency wallet startup, explained how he got the extensions removed from Chrome’s store within 24 hours with the help of PhishFort.
However, the removed extensions include ones that targeted the owners of hardware wallets and users of software wallets produced by:
- Exodus, and
It has been analyzed that the extensions triggered the users to enter the credentials needed to access the wallet, such as mnemonic phrases, private keys, and keystore files, and sent them to bad actors. Then, hackers were able to steal the crypto assets contained in the wallets.
Also, some of the extensions had fake five-star ratings in the Chrome extension store, but the reviews contained little to no info ranging from “good,” “helpful app” to “legit extension.”
As per the report, one of the extensions reportedly had the same review copied and pasted eight times by different users. The copypasta included an introduction to Bitcoin (BTC) and explained why MyEtherWallet, the extension’s targeted wallet, was the preferred wallet option. Hence, it is worth noting that MyEtherWallet does not actually support Bitcoin.
It has also been analyzed that the investigation uncovered 14 control servers behind all the extensions, but fingerprinting analysis revealed that some of the servers were managed by the same bad actors, with the oldest domain being linked to many other control servers.
Subsequently, Denley concluded that the same bad actors were behind most of the extensions.
However, some of the domains used in the phishing campaigns were relatively old, but 80% of them were registered in March and April 2020.
Thus, most of the extensions were published on Chrome’s store this month.