SECURITY

Cybersecurity company SlowMist reveals: The truth behind Chrome malicious extension stealing millions of dollars

share
Cybersecurity company SlowMist reveals: The truth behind Chrome malicious extension stealing millions of dollars

Recently, users in the crypto community suffered significant financial losses due to downloading the malicious Chrome extension Aggr, which has attracted widespread attention. In order to help users better understand the risks of browser extensions and enhance their own security capabilities, the SlowMist security team 23pds has provided a detailed analysis of the malicious extension's malicious behavior and practical security recommendations.

For more information, please see the original article: SlowMist: Demystifying the Chrome Malicious Extension that Stole Millions of Dollars

Community Warning Sparks Concern

On June 3, 2024, Twitter user @CryptoNakamao shared a post detailing how they had lost 1 million USD due to downloading a malicious Chrome extension called Aggr. This incident quickly sparked widespread discussions within the crypto community, with users expressing concerns about extension risks and the security of their crypto assets.

Google Extension Gone Wrong! One Million USD Missing from Binance Account, Hard to Recover

Analysis by SlowMist Security Team

As early as May 31, the SlowMist security team released a detailed analysis report on the Aggr extension, exposing its malicious activities. This article, through a Q&A format, helps users understand the basics and potential risks of Chrome extensions, providing recommendations for handling them.

1. What Is a Chrome Extension?

Chrome extensions are plugins designed for the Google browser to enhance its functionality and behavior. They are typically built using web technologies like HTML, CSS, JavaScript, and consist of:

– manifest.json: The extension's configuration file that defines basic information.

– Background script: Handles background tasks.

– Content script: Interacts with web pages.

– User interface: Includes toolbar buttons, pop-up windows, etc.

2. What Are the Functions of Chrome Extensions?

Chrome extensions serve various purposes, including:

– Ad blocking: Improving page load speed and user experience, such as AdBlock.

– Privacy and security: Enhancing user privacy and security, like Privacy Badger.

– Productivity tools: Boosting work efficiency, such as Todoist.

– Developer tools: Providing debugging and development tools, like React Developer Tools.

– Social media and communication: Facilitating social media notifications, such as Grammarly.

– Web customization: Customizing web appearance and behavior, like Stylish.

– Automated tasks: Helping automate repetitive tasks, like iMacros.

– Language translation: Real-time web content translation, such as Google Translate.

– Cryptocurrency assistance: Facilitating cryptocurrency transactions, like MetaMask.

3. What Permissions Do Chrome Extensions Request After Installation?

Chrome extensions may request the following permissions:

– <all_urls>: Access to all website content.

– tabs: Access to browser tab information.

– activeTab: Temporary access to the currently active tab.

– storage: Use of Chrome's storage API.

– cookies: Accessing and modifying cookies in the browser.

– webRequest: Intercepting and modifying network requests.

– bookmarks: Accessing and modifying browser bookmarks.

– history: Accessing and modifying browser history.

– notifications: Displaying desktop notifications.

– contextMenus: Adding custom menu items.

– geolocation: Accessing user geolocation information.

– clipboardRead and clipboardWrite: Reading and writing clipboard contents.

– downloads: Managing downloads.

– management: Managing other extensions and applications.

– background: Running tasks in the background.

– webNavigation: Monitoring and modifying browser navigation behavior.

While these permissions provide powerful functionality, they may also access sensitive user data.

4. How Can Malicious Chrome Extensions Steal User Permissions?

Malicious extensions exploit requested permissions to steal user information and credentials, including:

– Requesting broad permissions: Such as accessing all websites, reading and modifying tabs, accessing storage, etc.

– Manipulating network requests: Intercepting and modifying network requests to steal authentication information.

– Reading and writing page content: Reading and modifying page data through embedded code.

– Accessing browser storage: Accessing local data containing sensitive information.

– Operating the clipboard: Reading and altering information copied and pasted by the user.

– Impersonating legitimate websites: Inducing users to enter sensitive information.

– Long-term background operation: Continuously monitoring user activity and collecting data.

– Managing downloads: Downloading and executing malicious files, threatening system security.

5. How Do Malicious Extensions Steal User Permissions and Funds?

The malicious Aggr extension leveraged extensive permissions (such as cookies, tabs, <all_urls>, storage) to steal user permissions and funds through:

– Simulating user logins to trading platform accounts.

– Unauthorized transactions and fund transfers.

– Accessing and collecting sensitive information.

– Modifying account settings to control user accounts.

– Engaging in social engineering attacks to further obtain sensitive information.

6. What Can Malicious Extensions Do After Stealing Cookies?

Malicious extensions can utilize stolen cookies to perform the following actions:

– Accessing account information.

– Conducting unauthorized transactions.

– Bypassing two-factor authentication to withdraw funds.

– Accessing and collecting sensitive information.

– Modifying account settings.

– Impersonating users for social engineering attacks.

Countermeasures

Countermeasures for Individual Users

– Enhance personal security awareness: Maintain a skeptical attitude.

– Only install extensions from trusted sources: Read user reviews and permission requests.

– Use a secure browser environment: Avoid installing extensions from unknown sources.

– Regularly check account activity: Take immediate action upon detecting suspicious behavior.

– Use hardware wallets: Store large assets securely.

– Browser settings and security tools: Reduce risks of malicious extensions.

– Use secure software: Detect and prevent malicious software.

Platform Risk Control Recommendations

– Enforce the use of two-factor authentication (2FA): Ensure account security for users.

– Session management and security: Manage logged-in devices, implement session timeout policies.

– Strengthen account security settings: Send security notifications, provide account freeze functionality.

– Enhance monitoring and risk control systems: Monitor user behavior, identify abnormal transactions.

– Provide users with security education and tools: Promote security knowledge, offer official security tools.

Security needs to be balanced with business requirements, and platforms must consider user experience while protecting user accounts and assets. The SlowMist security team advises users to question the safety of software and plugins before installation to prevent stories from turning into incidents. For more security insights, please read the SlowMist-produced "Blockchain Dark Forest Self-Defense Handbook."