A recent campaign, dubbed “GreedyBear,” utilized approximately 150 malicious Firefox extensions to steal an estimated one million dollars from cryptocurrency wallet owners. The scheme, uncovered by Koi Security, involved threat actors impersonating legitimate cryptocurrency wallet extensions within the Firefox add-ons store.
Mozilla has since removed the identified malware. However, researchers suggest that attackers could swiftly launch similar campaigns, with a potential expansion of “GreedyBear” already identified in the Chrome web store through an extension named Filecoin Wallet.
The malicious extensions initially appeared benign. Threat actors uploaded seemingly harmless crypto wallet extensions with branding that mimicked popular platforms such as MetaMask, TronLink, and Rabby. They then accumulated fake positive reviews to build trust. Subsequently, attackers replaced the names and logos and injected malicious code, transforming these extensions into keyloggers. These compromised extensions were capable of capturing form field inputs and victims’ external IP addresses, transmitting this sensitive data to attackers’ servers.
To safeguard against such threats, users are advised against blindly trusting extensions found in official add-on stores. Before installing a new extension, it is crucial to thoroughly read user reviews beyond just star ratings, examine the version history, and scrutinize the developer’s other projects for any suspicious activity. For cryptocurrency wallets specifically, a safer practice is to navigate directly to the project’s official website, which will provide a link to the legitimate extension.
