3-Minute Tips: How to Avoid This Strange New Crypto Malware
Though cryptocurrencies give users full sovereignty over their assets and enable a great deal of financial freedom, this also leaves them responsible for the security of their funds. Deposit insurance schemes like the Financial Services Compensation Scheme or FDIC's Deposit Insurance don’t apply to cryptocurrencies.
Likewise, cryptocurrency transactions are generally irreversible, making recovery extraordinarily unlikely in most cases.
As a result, cryptocurrency holders are prime targets for hackers, scammers and crooks that would like nothing more than to separate you from your hard-earned funds.
Now, there’s a new type of malware on the loose, which iterates on the common address swap attack to form a particularly nasty and difficult-to-detect threat.
How Does It Work?
First uncovered by LocalMonero in October, the malware takes the form of a trojan that is loaded to the device through a dubious extension. Once installed, the malware will swap the address of the victim to an attacker-controlled address whenever they perform a purchase or transaction on their wallet.
The result being any funds are transferred to the hacker's wallet rather than the intended recipient.
Though this would usually be simple to detect by double-checking the address before submitting the transaction, the malware manages to execute the address swap in such a way that the switch is hidden from the user until it’s too late.
As detailed in the original Reddit post, the malware is loaded in the user's system after they inadvertently install a seemingly innocuous extension to their Chromium-based browser. In this case, the malware is disguised as a Google Sheets extension, but it's possible it has now been concealed within other types of extensions.
It is highly likely that this malware can be adapted to attack other cryptocurrencies and wallets, hence it’s now even more important to grasp the basics of crypto security.
Avoiding Address Swap Attacks
The malware currently uses JavaScript to carry out its effects — hence disabling JavaScript can neutralize it and reduce your browser’s attack surface. This can be easily achieved in the settings for most Chromium-based browsers.
Here’s the action flow for disabling it in native Chrome.
1. Open settings.
2. Search “Javascript.”
3. Click “Site Settings” under the Private and Security section.
4. Select the “Don’t allow sites to use Javascript” option.
As of writing, the malware only affects the LocalMonero peer-to-peer exchange, but it is highly likely that it is already being adapted to work with other exchanges, wallets and brokers.
Likewise, the malware currently only infects Windows devices, it has not been found on macOS, Android or iOS.
Besides disabling JavaScript, there are several other simple steps you can use to minimize your risk of falling victim to similar attacks. These include:
1. Never download, click or install add-ons, plugins, software or files from untrusted sources.
2. Perform a small test transaction before buying, selling or withdrawing cryptocurrencies from wallets/exchanges.
3. Use a hardware wallet. These allow you to double-check the recipient address on a non-tamperable external screen before you agree to process the transaction.