March 15, 2019

Airdrop of tokens of the Huobi exchange turned out to be part of a campaign to steal users' private keys.

The malicious browser extension for Google Chrome, aimed at stealing users' cryptocurrency assets, was downloaded at least 230 times before the search giant discovered and deleted it. This was told by the researcher of cybersecurity problems Harry Denley in his blog.

According to Denley, the attackers sent an ERC20 token Huobi Airdrop to random Ethereum addresses with a suggestion to go to the page supposedly created by the Huobi exchange to conduct airdrops.

When going to the site, the user received a notification, positioned as a built-in Chrome feature, in which they were offered to download an extension called “NoCoin - Block Coin Miners” to combat hidden mining.

If the MetaMask extension was activated in the browser, another notification was displayed that simulated the standard MetaMask protection against malicious sites, but contained a link to the same extension that the original wallet does not provide.

“Initially, the extension was doing what it was supposed to do — it found several CryptoJacking scripts. The extension had an attractive interface in which it reported on the work performed, ” - the researcher writes.

What the extension did not report is that it is capable of stealing data from users of the MyEtherWallet (MEW) and wallets, which were then transmitted to the attackers.

How long the malicious extension has been available to Chrome users and what the extent of the damage was from the actions of the attackers is unknown.