MEGA’s Chrome extension laced with cryptocurrency-stealing malware
MEGA has given details of a targeted attack, in which hackers managed to upload a malicious version of its Chrome browser extension to Google’s Play Store. For five hours, any user who ran the installer from the Play Store had their accounts compromised.
Services affected include popular cryptocurrency wallet services MyEtherWallet (MEW), MyMonero, and decentralized asset exchange IDEX. Tech giants Amazon, Microsoft, and Google were also specifically targeted. There is currently no reliable information regarding how many accounts were directly compromised.
What’s curious is that MEGA seem to be implying that this is the result of a hacked Google webstore account. An attacker was somehow able to login using the official Play Store account and push an update that was laced with cryptocurrency-stealing malware. MEGA also notes that the stolen data appeared to be en route to a server in the Ukraine.
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (read and change all your data on the websites you visit) that MEGA’s real extension does not require,” reads the statement. “Please note that if you visited any site or made use of another extension that sends plain-text credentials […] while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
MyEtherWallet (MEW), in particular, is no stranger to these attacks. Over a seven month period, it fell victim to a series of hacks. First, users were targeted by tricksters who had uploaded a fake app, pre-loaded with dodgy private keys. Then, users were duped into visiting a hacked version of the website that saw more than 200 ETH ($56,000) stolen directly from user wallets.
This isn’t the first time hackers have been managed to pull off a scheme such as this. The same thing has happened to Hola’s Chrome extension. Customers of the popular streaming service were treated to a hacked version of its browser extension, which was found to contain a backdoor like the one just found in MEGA’s. Again, for five hours, any user who used MEW while running Hola’s Chrome extension had their private keys completely compromised, and were urged to move their funds as soon as possible.
Is no browser extension safe?
Exactly how it all happened is not immediately clear. MEGA’s official statement signs off by stating it is “currently investigating the exact nature of the compromise of our Chrome webstore account,” so I guess we’ll just have to wait and see what internal investigations reveal.
Published September 5, 2018 — 09:52 UTC