Some kits sent the phished data back to a GoogleDocs form. We’ve identified 14 unique C2s (also known as a command & control server that continues to communicate with your compromised system) but by using fingerprinting analysis, we can link specific C2s to each other to conclude which of the phishing kits have the same bad actor(s) behind them.
Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts. The brands we’ve found targeted with malicious extensions are:Įssentially, the extensions are phishing for secrets - mnemonic phrases, private keys, and keystore files. Whilst the extensions all function the same, the branding is different depending on the user they are targeting. We have found a range of extensions targeting brands and cryptocurrency users. Gather intelligence to feed into custom tools to help detection before victims are made.Help shut down scam campaign infrastructure.Give “everyday-users” real-life examples of attacks so they are more likely to enforce security controls on their assets.Report on big campaigns to make people aware.Educate “everyday-users” on what the different attack vectors are.Whilst this is not a new attack vector - and we’ve written about malicious browser extensions before - the brands targeted are new. Recently, we’ve come across big campaigns pushing fake browser extensions to users and targeting well-known brands via Google Ads and other channels. An example of a malicious extension being delivered via Google Ads
0 kommentar(er)
