Threat browser extension, or How easy it is to lose your cryptocurrency?

We periodically remind you how cryptocurrencies don't fall for the tricks and in General not to lose their cherished coins. Methods of fraudsters develop from year to year and now some of them are so cleverly disguised and that even tech-savvy the user is difficult to recognize danger. Today we will study the theme of malicious extensions to browsers. It would seem that they should make life easier, but often make it worse.

Below is the translation of the article user Harry on .

the

install everything

I Recently stumbled upon a project that promises cashback on each transaction, including trade on centralized exchanges. To get back to 5 percent, enough to install a browser extension. If the offer sounds too good to be true, then chances are it is a fraud. At the time of detection, the application of CCB Cash with an ID in Chrome liachincjagnalnmahhaioaogkngbmhf was 181 by the user. Now the app disappeared from the store.

Product that promises a return of 5 percent on all of your blockchain transactions. Too good to be true.

I studied the code and found it to be malicious behavior. Malicious extension is interested only in the following coins: , , , , , and .

the

What permissions requests an extension?

After installation, the extension requests a write access to a variety of domains, including Github, Exmo, Coinbase, Binance, HitBTC, LocalBitcoins, and others. It asks for access to all open tabs and your cookies – these permissions are often misused, stealing your assets from different exchanges and wallets.

the

What does it do?

To summarize in one sentence, the extension steals all your confidential information depending on the domain. For example, on Binance it steals login data, codes two-factor authentication and CSRF tokens, and then tries to automatically withdraw the coins.

Look at how this is happening.

Step 1. Theft of login information

The Extension contains code that is triggered when you tap the button and steals enter the mail and password by storing them in LocalStorage and sending it to your server without disrupting the normal process of entering the exchange.

Code that steals login information on Binance

Step 2. Theft codes, two-factor authentication

When you sign into the extension monitors the input two-factor authentication and waits until the form is sent. Then it translates the code entered on your server along with stored in LocalStorage mail and password from the first step.

Code, stealing code two-factor authentication at login

After entering the extension every 5 minutes to request a code from Google Authenticator that will be sent to the server. This gives malicious users more attempts, if they will try to log in to your account and pass code that was sent when you log in.

code Request two-factor authentication on Google Binance

Step 3. Stealing CSRF-token and output

When you're browsing on Binance your balance, increase steals your cookie CSRF token and sends it to your server. Then it makes a POST request to seize the balance of coins, and trying them out.

The Extension steals CSRF tokens to execute on them the function md5() to make POST request /exchange/private/yserAssetTransferBtc to seize your balance. After this extension sorts the coins by value and trying to bring them.

If the extension finds a coin with a balance of more than 0.01 BTC, which can be displayed, it will take you to the page output the coin with the highest value will automatically populate the request and click to automatically withdraw. It will also smear the screen Binance, inserting into the body of the document, the div element, moving it to the foreground and changing the text confirmation code two-factor authentication. It is necessary to convince you that you got out of the site. All this happens very quickly, and you don't even notice that you were redirected from the page.

the User believes that his session is complete

The user enters code two-factor authentication to "restore" the session (not knowing that he is confirming the withdrawal of coins to the address of the attacker), and then asked him to check the mail. Of course, the user will only receive a letter of confirmation of conclusion, but if he will not read the contents of the letter and just click the link, it will confirm the withdrawal and start the process. The same thing happens in Coinbase: periodic code requests two-factor authentication and the theft of cookies and data entry.

an Example of embedded browser extension forms enter the code two-factor authentication on Coinbase

If you view the account, the extension will calculate the asset with the highest cost, as well as sending the value of all your assets to your server, and try to withdraw money. It looks like this.

Extension changes the structure of the output window to force the user to enter the data (MD5 hash value – while testing I changed it to that control). During testing I had 100 pounds, so you leave 3 percent.

This occurs each time a page loads with your accounts, sothe user may accidentally start the output. Tricky. Therefore, the extension steals your login information to the exchange and tries to get you to confirm the transfer of funds to fraudsters.

the

Where do you send the funds?

Attackers have the following addresses:

the

the
• – 16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1s;
the
• – 0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca;
the
• – 1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3;
the
• – LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sp;
the
• – 0x03B70DC31abF9cF6C1cf80bfEEB322e8d3dbb4ca;
the
• – rGmdGrMjvxt6S3VjF4M78U2YMLPR6XLPsn;
the
• – 0x4F53C9882Ba87d2D7c525dF2aEF2540efb6e32e5.

Since the launch of the extension in the Chrome store 3 Dec 2018 attackers stole 23,23550279 BTC. Information will be true, assuming that these addresses are used only for this expansion, and through them were only stolen funds).

the

What are the secrets we discovered?

the

the
• addresses of the attackers.
the
• servers and domains;
the
• code comments in Russian – it is very likely that these are Russian.

We also covered the domain of the remote server, so those who have the extension will not become victims. But we still encourage you to remove the extension from browser and change email and password in all cryptoservice used.

The Extension was performed malicious actions on the following platforms: Exmo, Coinbase, Hbg / Huobi, HitBTC, Binance, LocalBitcoins, Blockchain .

How to protect yourself?

the

the
• do Not install unknown programs that annoying request access rights;
the
• if you suspect something, perhaps it is;
the
• periodically analyze the extensions that are installed in your browser, and delete unused;
the
• if the browser extension you use, look for the version of/alternative to open source or disable automatic updates Chrome store. Check the code or find a reliable person who can do it.

More data to search for .