Fake Extensions Targeting Firefox Users
According to a report by Koi Security (a cybersecurity firm), more than 40 fake wallet extensions impersonating popular cryptocurrency wallets are being used in an active crypto theft operation targeting users of Mozilla Firefox.
Users of Web 3.0 should be very careful of malicious browser add-ons disguised as trusted wallets like MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, OKX, MyMonero, and many more. Once installed, they silently steal wallet details and seed phrases from their victims and send this data to a server controlled by hackers.
Cloned Extensions Masquerading as Legitimate Wallets
The attackers behind this campaign have patternized the design, branding, and codebase of a legitimate open-source crypto wallet. These copies carry a false five-star review and duplicate icons and user interface elements to trick users into downloading.
The aim is to keep things running without a hitch for the user while planting harmful scripts. Certain extensions keep an eye on what you type. They are looking for seed phrases and wallet keys. That includes strings longer than 30 characters, which are typical.
According to Koi Security, “This low-effort, high-impact exploitation technique keeps the attackers below the radar and maximizes the stealing of user assets.”
Russian-Speaking Hackers Suspected
Koi Security thinks a Russian-speaking group is probably responsible despite full attribution still being unclear. The analysis found Russian-language comments in the malicious code of the reported attack. Metadata in the malicious PDF from a charcoal grey attacker command-and-control server helped respond to the cybersecurity breach, say threat researchers.
While the evidence is not definitive, it is nevertheless indicative of some type of well-organized threat actor with technical capabilities.
Users Urged to Stay Vigilant
In light of the continuing threat, users are encouraged by Koi Security to install browser extensions only from verified developers. The company also suggests treating all extensions like software that is capable and should therefore be monitored and controlled through allowlists or other security tools.
The company cautioned that even extensions that seem real can be dangerous and urged users not to install anything from an unverified company.
Conclusion
It’s important to exercise caution when installing browser extensions associated with your crypto wallet, as cybercriminals continue to steal cryptos through them. The Firefox Add-ons store is another playground for scams, with over 40 fake extensions still spotted. To protect your crypto from hidden threats, be proactive, check all sources, and keep an eye on your browser activity.
