Malicious Browser Extension Racks Up Stolen Bitcoin From Unsuspecting Users

A bit of internet sleuthing led one Medium blog poster to come across a malicious browser extension under the guise of a “Blockchain Cash Back service.”

The project promised users money back on different transactions, even on centralized crypto exchanges, but turned out to be a scheme to steal a variety of login information and siphon off cryptocurrencies.

Writing on Medium in association with MyCrypto, "Harry" detailed the reality behind a Google Chrome browser called “CCB Cash.” He said at the time of discovery, the extension “had 181 users on it.”

Since its Chrome store launch on December 3, 2018, the attackers have purportedly managed to steal a bit more than 23 bitcoin (roughly $81,650,000 as of press time). The extension has since been removed from the store. 

Lots Of Malicious Code In Order To Steal Crypto

An investigation of the extension code revealed a system that “steals all your secrets depending on the domain you are on.”

A user who first installed the browser extension was met with requests to open all tabs and cookies, along with permission for write access to domains like Github, Binance, Coinbase, and LocalBitcoins.The malicious extension was primed to steal different information based on what website a user was on. On Binance for example, it would swipe a person’s login information, 2FA codes, CSRF tokens, and then would try to steal cryptocurrency.

The overall goal of the extension as to steal login information and then try to trick users into accepting crypto withdraws to the scammer’s accounts. According to the Medium post, initial speculation is that it is “highly likely this is a RU outfit doing this” due to the presence of “Russian code comments.”

An Etherscamdb page for ‘cryptocashback.org’ indicated it was a scam domain that was offline. Those behind the post said they notified targeted exchanges about the malicious extension so they could investigate.

Cryptojacking Malware A Continued Threat To Internet Users

CryptoGlobe has reported on several instances where viruses and malware were deployed to steal cryptocurrency.

One scenario involved cryptojacking software buried in fake copy of a torrented movie that would redirect crypto payments whenever possible. The malicious software would scan websites for cryptocurrency addresses and then replace them with ones owned by the attackers. The virus would also falsify search results and create fake advertisements.

In November, McAfee Labs identified a cryptojacking malware that would infect computers to secretly mine Monero or Zcash. Researchers said that it had affected users across the world and eventually slows down the machine, “leaving the user with a headache and an unwelcome bill.”

Photo courtesy of Etherscamdb