A Google Chrome extension was found to inject JavaScript code on web pages to steal passwords and private keys from encryption and encryption currency money purse portal.
The extension Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn ), on December 9 start.
According to introduction , Shitcoin Wallet allows users to manage Ethernet (ETH) coins, you can manage Ethernet-based Square ERC20 token - usually ICO issued tokens ( initial token release ). Users can install from the Chrome browser extension and management ETH coins and ERC20 tokens; at the same time, if you want to manage funds from high-risk environments outside the browser, you can install Windows desktop applications.
However, MyCrypto platform security director Harry Denley the recently discovered that the extension contains malicious code.
According Denley say, to the user, the extended presence of two risks. First of all, any funds (ETH coins and tokens based ERC0) management directly within the extensions are at risk. Denley said that the extension will be sent through all the private purse of its interface to create or manage located erc20wallet [.] Tk of third-party sites.
Second, when a user navigates to five well-known and popular encryption currency management platform, this extension can also take the initiative to inject malicious JavaScript code. This code will steal login credentials and private key, and sends the data to the same erc20wallet [.] Tk third-party sites.
The analysis of the malicious code, the process is as follows:
- Users install the Chrome Extension
- Chrome extension request permission injected JavaScript (JS) code on site 77 [listed here Wallpaper ]
- When a user navigates to any of these 77 sites, the extensions are loaded from the injection position and a JS file attached : HTTPS: // erc20wallet [.] TK / JS / content_.js
- This JS file contains the code obfuscation [deobfuscated here Wallpaper ]
- The code is activated on five sites: MyEtherWallet.com , Idex.Market , Binance.org , NeoTracker.io , and Switcheo.exchange
- Once activated, the malicious JS code will record the user's login credentials, search the private key is stored in the dashboards in five services, and finally sends the data to erc20wallet [.] Tk
It is not clear whether Shitcoin Wallet team to deal with the malicious code responsible for, or the Chrome extension is subject to damage by third parties.
Reference News: https://www.zdnet.com/article/chrome-extension-caught-stealing-crypto-wallet-private-keys/