Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims' passwords

'Seriously sometimes seems Google's moderators are only optimized to respond to social media outrage'


Three weeks after Google removed 49 Chrome extensions from its browser's software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted – and some are still available to download.

The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks.

Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down.

Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Dan Finlay, lead developer of MetaMask, took to Twitter to get help from Google, because "it seriously sometimes seems like they're only optimized to respond to social media outrage."

Finlay complained that Google keeps approving extensions made by phishers. "The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review," he wrote. "Furthermore, they are all allowed to buy premium Google ad space at the top of search results."

A criminal using a phone for fraud

40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again

READ MORE

As we reported in January, the Chrome Web Store appears to be understaffed and over-reliant on automation to deal with the challenges it faces. In this, it's not unlike the Google Play Store which for years has struggled to keep malicious Android apps at bay.

The Register asked Google for comment but apart from being asked for more details about the suspect extensions, we've not heard back.

Finlay told The Register that if Google wants to run the Chrome Web Store with few people, then they should implement systems to automatically enforce brand and trademark restrictions for the store and its ad platforms.

"I think it would be great for Google to make a stance of respecting trademarks in their ads, but I’m not sure if that runs counter to their business model," he said. "I sure hope Google doesn’t feel they need to protect phishing to stay afloat."

Google's ad policy says the company will review trademark complaints from trademark holders, but only after receiving a complaint. Google's Chrome Web Store developer agreement forbids developers from violating intellectual property rights, which probably doesn't mean much to committed law-breakers. At the same time, it makes clear, "Google is not obligated to monitor the Products or their content."

Denley said Google appears to be either incapable of policing the Chrome Web Store or negligent.

"I own a semi-popular Chrome extension and after each publish request it takes a while for it to be approved – so if there is a manual review process, either it doesn't work as intended (and only slows down updates to popular extensions) or it's only a manual review on popular extensions," he said. "It seems these bad extensions are just being approved from multiple different accounts instantly."

A week ago, Google announced yet more restrictions aimed at cleaning up the Chrome Web Store, noting "the increase in adoption of the extension platform has also attracted spammers and fraudsters introducing low-quality and misleading extensions in an attempt to deceive and trick our users into installing them to make a quick profit."

The policy revision aims to prevent developers from spamming the store with similar extensions and expands the company's definition of abusive behavior and review manipulation. In January, Google locked down the Chrome Web Store due to a flood of vitriolic comment.

Keep in mind that Google has made similar security enhancement announcements about the Chrome Web Store every year since 2011.

Denley said in a perfect world, owners of popular extensions would be given more attention when they report abuse, like the appearance of a similarly named and branded extension.

"I'd love to be able to get in contact with [the Chrome Web Store] team so I can pass my IOCs [indicators of compromise] to them, though I guess cryptocurrency-related Web Store items are not their priority," he said.

Perhaps someone will develop a Chrome extension that re-labels Twitter's Tweet button to read "Google Support." ®


Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading

Biting the hand that feeds IT © 1998–2022