Dozens of fake wallet add-ons flood Firefox store to drain crypto

[harlan4096]

More than 40 fake extensions in Firefox’s official add-ons store are impersonating popular cryptocurrency wallets from trusted providers to steal wallet credentials and sensitive data.

Some of the extensions pretend to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and include malicious code that sends stolen information to attacker-controlled servers.
 

Fake wallet extensions on the Firefox add-ons store
Source: BleepingComputer

Researchers at Koi security found the risky extensions along with evidence indicating that behind the campaign is a Russian-speaking threat group.

In a report shared with BleepingComputer, the researchers say that many of these browser add-ons are clones of open-source versions of legitimate wallets with added malicious logic.

Koi security presents examples of ‘input’ and ‘click’ event listeners in the code, which monitor for sensitive data inputs from the victim.
 

Malicious code snippets in the extensions
Source: Koi Security

The code checks for input strings that are longer than 30 characters to filter for realistic wallet keys/seed phrases, and exfiltrates the data to the attackers.

Error dialogs are hidden from the user by setting the opacity to zero for any elements that might alert the user of the activity.

Seed phrases (recovery/mnemonic phrase) are master keys typically comprising multiple words, allowing users to recover or port wallets to new devices.
Obtaining someone’s seed phrase makes it possible to steal all the cryptocurrency assets in the wallet. The theft appears as a legitimate transaction and is irreversible.

The campaign has been active since at least April and new extensions appear to be added to the Firefox store constantly. The researchers say that the newest malicious entries are as recent as last week.

Continue Reading...