|
Title: We need some help to decode a hacker addon Post by: seoincorporation on December 12, 2018, 02:45:03 PM A lot of users on the forum are getting scammed this way as you can see on the next links:
https://bitcointalk.org/index.php?topic=5083404.0 https://bitcointalk.org/index.php?topic=5083139.0 https://bitcointalk.org/index.php?topic=5081286.0 So, the add-on has been taken down and they upload it with another name, now is called CCB Cash. https://chrome.google.com/webstore/detail/%D1%81cb-cash/liachincjagnalnmahhaioaogkngbmhf?hl=en-US&gl=MX So, there is an extension to view source code from any addon, it's called 'Chrome extension source viewer' When i take a look to this code i realized how bad it is... Code: "name": "CCB Cash", So, this time i ask for some help, maybe the developers can find some useful information about this APP to stop this hacker. By the way, you don't have to install the addon to see the source. Title: Re: We need some help to decode a hacker addon Post by: nuno12345 on December 13, 2018, 08:52:22 AM Had a quick look.
How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php MyEtherWallet: Code: if (location.href.indexOf('myetherwallet') > -1) {That domain was clearly hacked. The expected format is something like none:myetherwallet:key When sending a GET request some currency tickers are returned. Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not? By removing some of the parameters "invalid" is returned. Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume. EDIT: Addresses of the thief: Code: CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S'; Some comments: //tut kodpzds - Google translate autodetects russian? Ofc.. //bikbuk = bikbuk*0.01; Some urls: https://help-tools.org/courses/plsnoban.php https://help-tools.org/md5.php https://help-tools.org/courses/status.php?s=c Title: Re: We need some help to decode a hacker addon Post by: buwaytress on December 13, 2018, 09:20:26 AM @nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.
For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own. Title: Re: We need some help to decode a hacker addon Post by: nuno12345 on December 13, 2018, 09:37:34 AM I understand.
What if someone makes an extension to block this type of behaviour? Requests could be blocked to certain urls, cors enforced, etc. By having an external list, say being grabbed from github it could be updated much quicker than relying on google or registrars to take down extensions/domains Title: Re: We need some help to decode a hacker addon Post by: jjjfff on December 13, 2018, 09:40:05 AM Note that no URL has ever been captured for help-tools.org
https://i.imgur.com/E9qQlG4.png Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose: Domain Name: HELP-TOOLS.ORG Registry Domain ID: D402200000008508823-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2018-12-06T08:04:10Z Creation Date: 2018-12-02T06:52:52Z The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate. As expected the specific whois is anonymized: Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org Registry Admin ID: Admin Name: Domain Administrator Admin Organization: See PrivacyGuardian.org Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255 Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though. Title: Re: We need some help to decode a hacker addon Post by: KingZee on December 13, 2018, 11:18:21 AM Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose: I was just going to say that, it's a 404 on the main page, fresh domain, hacked my ass. I can't think of any way to prevent this from happening to your typical user. If someone thinks that it's possible for an addon, to monitor other downloaded addons, before they're installed, to check for patterns, then it might be possible to make a quick solution to prevent this in the future. You should all remember that the perpetrator is constantly promoting his scam here using newbie accounts, and probably reads all of this, so hello scammer, we're trying to stop you :D Title: Re: We need some help to decode a hacker addon Post by: seoincorporation on December 13, 2018, 01:54:00 PM Had a quick look. How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php MyEtherWallet: Code: if (location.href.indexOf('myetherwallet') > -1) {That domain was clearly hacked. The expected format is something like none:myetherwallet:key When sending a GET request some currency tickers are returned. Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not? By removing some of the parameters "invalid" is returned. Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume. EDIT: Addresses of the thief: Code: CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S'; Some comments: //tut kodpzds - Google translate autodetects russian? Ofc.. //bikbuk = bikbuk*0.01; Some urls: https://help-tools.org/courses/plsnoban.php https://help-tools.org/md5.php https://help-tools.org/courses/status.php?s=c Thanks nuno12345 that's some great information, was the kind of info i was searching for. I leave you some merits. :D Title: Re: We need some help to decode a hacker addon Post by: mistercoin on December 14, 2018, 05:07:21 PM @nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions. For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own. Sadly, I too believe this is the case. It will take a massive loss for the news to pick it up and spread the facts to the rest of the chrome users. I'm going to take a look at the source code and see if I can find any connections between the domains, addresses and people. I'll let you all know what I find. If only Google were as vigilant with their browser add-ons as they were with their YouTube platform takedown algorithms, our jobs would be a lot easier.. *sigh* -MisterCoin Title: Re: We need some help to decode a hacker addon Post by: Piggy on December 16, 2018, 07:10:52 AM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::)
How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Title: Re: We need some help to decode a hacker addon Post by: xBoxLive on December 16, 2018, 04:17:28 PM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::) How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. It is a scam. I reported it to Google. Now we wait 2 months for them to remove it? Title: Re: We need some help to decode a hacker addon Post by: Piggy on December 16, 2018, 08:03:16 PM It is a scam. I reported it to Google. Now we wait 2 months for them to remove it? I don't think they are going to be in any hurry to do that indeed. When you install the extension they are telling you the equivalent of "do it at your own risk". I guess they would act a bit faster just if they would start to lose money ::) Title: Re: We need some help to decode a hacker addon Post by: seoincorporation on December 16, 2018, 09:14:56 PM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::) How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Agree and it's sad, google and firefox should worry a little more for the customers, i know they are big platforms and should be hard for them to review their apps one by one, but c'mon we are almost in 2019 and that job could be done by artificial neural networks. A simple grep to verify if the app is hacking information from the main sites like google, outlook, or some social networks. Is intolerable the fact that anyone can make this kind of apps and publish them as if there were no law. Title: Re: We need some help to decode a hacker addon Post by: bob123 on December 20, 2018, 09:38:45 AM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. It depends on how you define safer. A web browser extension can:
However, a browser extension can NOT:
Running an executable on your system can do anything the user also is able to do (or even more if a privilege escalation is being abused). Title: Re: We need some help to decode a hacker addon Post by: KingZee on December 20, 2018, 11:37:11 AM ... I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know :
So, API examples : https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine. https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData. https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves. But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience. Title: Re: We need some help to decode a hacker addon Post by: Initscri on December 22, 2018, 01:10:44 AM Note that no URL has ever been captured for help-tools.org https://i.imgur.com/E9qQlG4.png Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose: Domain Name: HELP-TOOLS.ORG Registry Domain ID: D402200000008508823-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2018-12-06T08:04:10Z Creation Date: 2018-12-02T06:52:52Z The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate. As expected the specific whois is anonymized: Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org Registry Admin ID: Admin Name: Domain Administrator Admin Organization: See PrivacyGuardian.org Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255 Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though. Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user. Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::) How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable. Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript. If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic. Title: Re: We need some help to decode a hacker addon Post by: ranman09 on December 22, 2018, 02:17:52 AM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::) How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them? Title: Re: We need some help to decode a hacker addon Post by: Initscri on December 23, 2018, 06:50:42 AM Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google ::) How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them? AFAIK, google releases the extensions onto the market without them being 100% verified first. There's just simply way too many extensions being uploaded, they wouldn't be able to manually approve each one. They employ individuals to respond to reports, and perform spot checks (and I'm sure they have automated systems to catch most things/conventional attacks); but at the end of the day it's primarily up to the user to verify. |
