Chrome extension “Shitcoin Wallet” stealing data from it's users
The Ethereum wallet is injecting malicious javascript code from open browser windows
That didn’t take long… we have just started the year and already we have the first data breach incident reported. Cybersecurity and anti-phishing expert Harry Denley warned about the vulnerability in a tweet a couple of days ago. It was only two weeks ago that I wrote about a leading Blockchain application platform VeChain’s wallet being compromised, apart from other high profile hacks in December.
The Chrome browser extension named Shitcoin Wallet (ID:ckkgmccefffnbbalkmbbgebbojjogffn) was launched on December 9, 2019. The link to the extension seems to have been removed from the Google Chrome Web Store at the time of publishing, as you will get a 404 (requested URL can’t be found on the server) error. The current breach adds to a similar incident a week earlier where Google removed the Ethereum wallet app MetaMask from its Google Play App Store.
According to an analysis by Denley, the malicious extension sends the private keys of all wallets created or managed through its interface to a remote third party server identified as erc20wallet[.]tk. Apart from this, all your funds in the form of ETH or any other ERC-based tokens are directly at risk as well. The malicious code operates in the following way:
Users install the Chrome browser extension.
The extension requests permission to inject JavaScript (JS) code on 77 websites.
When users try to browse any of these websites, the extension loads another malicious file from JS file from https://erc20wallet[.]tk/js/content_.js
This JS file contains deceiving code which is difficult to comprehend.
The code reactivated on the following five websites — MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
The malicious code then searches for private credentials stored on these platforms, collects the information and sends it out to the remote server.
Shitcoin Wallet also launched the desktop version (32-bit and 64-bit version) of its app a few days prior to this attack with an incentive of giving away 0.05 ETH to users who download & install its client. Looking at the comments posted on the wallet’s Telegram channel, it points to the presence of malicious code on their desktop client as well. The trade-off is huge — 0.05 ETH for your digital wallet info.
It is unclear whether the Shitcoin Wallet team is responsible for the malicious code or the Chrome extension got compromised by a nefarious third party. But the name “Shitcoin Wallet” should have been a giveaway to stay away from software in the first place.