Recently, users in the crypto community suffered significant property losses due to downloading the malicious Chrome extension Aggr, which has attracted widespread attention. In order to help users better understand the risks of browser extensions and improve their own security protection capabilities, the SlowMist security team 23pds analyzed in detail how this malicious extension works and provided practical security suggestions.

(For details, please see the original article: Slow Mist: Chrome malicious extension stole millions of dollars to solve the mystery)

Community warning draws attention

On June 3, 2024, Twitter user @CryptoNakamao posted about his experience of having $1 million stolen due to downloading the malicious Chrome extension Aggr. This incident quickly sparked widespread discussion in the crypto community, with users expressing concerns about expansion risks and the security of their crypto assets.

(Google extension software caused trouble! The $1 million that disappeared from the Binance account will be difficult to recover even if you sit still)

Analysis by the SlowMist Security Team

As early as May 31, the SlowMist security team released a detailed analysis report on Aggr expansion, revealing its evil methods. This article helps users understand the basic knowledge and potential risks of Chrome extensions through six questions and answers, and provides suggestions for countermeasures.

1. What are Chrome extensions?

Chrome extensions are plug-ins designed for the Google browser that extend the functionality and behavior of the browser. They are usually built with web technologies such as HTML, CSS, and JavaScript. The main parts include:

– Manifest.json: extended configuration file that defines basic information.

– Background script: handles background tasks.

– Content scripts: interact with web pages.

– User interface: such as toolbar buttons, pop-up windows, etc.

2. What does Chrome extension do?

Chrome extensions serve a variety of purposes, including:

– Ad Blocking: Improve web page loading speed and user experience, such as AdBlock.

– Privacy and Security: Enhance user privacy and security like Privacy Badger.

– Productivity Tools: Increase your productivity, like Todoist.

– Developer Tools: Provides debugging and development tools, such as React Developer Tools.

– Social media and communications: Handy social media notifications like Grammarly.

– Web page customization: Customize web page appearance and behavior, such as Stylish.

– Automate tasks: Helps automate repetitive tasks like iMacros.

– Language Translation: Translate web content in real time, such as Google Translate.

– Cryptocurrency assistance: Facilitates cryptocurrency trading, such as MetaMask.

3. What permissions does the Chrome extension have after it is installed?

Chrome extensions may request the following permissions:

– <all_urls>: Access all website content.

– tabs: access browser tab information.

– activeTab: Temporarily access the currently active tab.

– storage: Use Chrome’s storage API.

– Cookies: access and modify cookies in your browser.

– webRequest: intercept and modify network requests.

– bookmarks: access and modify browser bookmarks.

– history: access and modify browser history.

– notifications: Display desktop notifications.

– contextMenus: Add custom menu items.

– geolocation: access user geographical location information.

– clipboardRead and clipboardWrite: read and write clipboard contents.

– downloads: Manage downloads.

– management: Manage other extensions and applications.

– background: Run tasks in the background.

– webNavigation: Monitor and modify browser navigation behavior.

While these permissions provide powerful functionality, they can also potentially access a user's sensitive data.

4. Why can malicious Chrome extensions steal user permissions?

Malicious extensions use requested permissions to steal user information and authentication data. Specific methods include:

– Request broad permissions: such as access to all sites, read and modify tags, access storage, etc.

– Manipulate network requests: intercept and modify network requests, and steal authentication information.

– Read and write page content: Read and modify page data through embedded code.

– Access browser storage: access local data containing sensitive information.

– Manipulate the clipboard: read and tamper with information copied and pasted by the user.

– Pretend to be a legitimate website: induce users to enter sensitive information.

– Long-term background operation: continuously monitor user activities and collect data.

– Operational download: Download and execute malicious files, threatening system security.

5. How do malicious extensions steal user rights and funds?

The malicious extension Aggr takes advantage of a wide range of permissions (such as cookies, tabs, <all_urls>, storage) to steal user permissions and funds in the following ways:

– Simulate user login to trading platform account.

– Transactions and transfers of funds without consent.

– Access and collect sensitive information.

– Change account settings and control user accounts.

– Conduct social engineering attacks to further obtain sensitive information.

6. What can a malicious extension do after stealing cookies?

Malicious extensions can use stolen cookies to:

– Access account information.

– Make unauthorized transactions.

– Bypass 2-step verification and withdraw funds.

– Access and collect sensitive information.

– Modify account settings.

– Impersonating users to conduct social engineering attacks.

Responses

Countermeasures for individual users

– Increase personal security awareness: remain skeptical.

– Only install extensions from trusted sources: read user reviews and permission requests.

– Use a secure browser environment: avoid installing extensions from unknown sources.

– Regularly check account activity: take immediate action if you notice suspicious behavior.

– Use hardware wallets: store large amounts of assets.

– Browser settings and security tools: Reduce the risk of malicious extensions.

– Use security software: detect and prevent malware.

Risk control suggestions for the platform

– Enforce the use of two-factor authentication (2FA): Keep user accounts secure.

– Session management and security: Manage logged-in devices and implement session timeout policies.

– Strengthen account security settings: send security notifications and provide account freezing functions.

– Strengthen monitoring and risk control systems: monitor user behavior and identify abnormal transactions.

– Provide users with security education and tools: popularize security knowledge and provide official security tools.

Security and business need to be balanced. While protecting the security of user accounts and assets, platforms must also consider user experience. The SlowMist security team recommends that users ask themselves whether it is safe before installing software or plug-ins to avoid stories turning into accidents. For more security knowledge, please read the "Blockchain Dark Forest Self-Rescue Manual" produced by SlowMist.

This article, Information Security Company Slow Mist Reveals: The Truth About Chrome’s Malicious Extension Software Stealing Millions of Dollars, first appeared on Chain News ABMedia.