[Be Alert] Browser Extensions help scammers steal bitcoin

[maxreish]

Browser Extensions Can Help Scammers Steal Your Bitcoin

Got a few browser extensions downloaded on my phone. And I've read another warning from Casa CEO in this article that gives me some time to think that I have bitcoin on my phone + I have browser extension. So, what now?

They are advising us "not to expose our bitcoin address anywhere". Especially when there are websites that want you to submit bitcoin address for free sats, promotions, etc. Be careful where you submit your credentials. Scammers are trying to steal our informations through BROWSER EXTENSIONS.

How?

-History- they can see our favorite crypro websites visits.
-Informations can be leaked like log in informations.
-Quiet Data theft- All this is happening on the background, without the user noticing it.

You got a nice background here and you don’t realize that your browser is actually dumping data

So, it is all about software that is about to enter in our browser extensions and what makes me sad is that we are all using  browser extensions.

My question is, How can we protect ourselves from data stealing?

Self awareness could have a significant role and they are still apps that are asking our permissions to get access to our data, if we carefully download those app we can still prevent those scammers to access our personal info. I know, these aren't new but anything is possible. They can access our data using different kind of ways to scam.

Just giving out some warning. Remember that, "The awareness and  acknowledgement of a single possibility can change everything.”

[1714944229]

1714944229

[1714944229]

1714944229

[1714944229]

1714944229

[1714944229]

1714944229

[1714944229]

1714944229

[Alluro]

Yes, If you are work with cryptos, security is an important thing. Then you have too always keep safe your computer. You can keep update your virus guard every day and keep update your operating system. The nest thing is to download only important things and gets them from official websites.

[mk4]

My question is, How can we protect ourselves from data stealing?

You just simply need to stop giving away information to centralized services/websites/businesses, especially when it's hugely unnecessary. Biggest example would be those scammy airdrops, whereas you're pretty much just exchanging your personal data for some altcoin that's very unlikely to actually be worth something in the end; even though for some reason some people thinks that these coins/tokens are "free". And that's just the tip of the iceberg.

[o_e_l_e_o]

You just simply need to stop giving away information to centralized services/websites/businesses, especially when it's hugely unnecessary.

This.

This is not a difficult concept. If you don't want to be a target of phishing emails, then stop giving away your email to literally everyone who asks for it. If you don't want to be SIM jacked or SIM swapped, then stop giving away your phone number. If you don't want to have your identity stolen, then stop sending your documents to complete strangers. If you don't want other people to have your data, then the first step is to stop giving it away freely.

In terms of apps and browser extensions, then just stop downloading them. Here are the only extensions you actually need: uBlock Origin, HTTPS Everywhere. There a couple other great ones like Privacy Badger, NoScript and Decentraleyes which are good for privacy and anti-tracking, but the only extensions you actually need are uBlock Origin and HTTPS Everywhere. You don't need an extension which gives you a bitcoin price ticker. You don't need an extension which searches online shops for you. You definitely don't need an extension which changes your background or font or some other nonsense. Every extension you download exposes you to a risk of malicious code. The same applies for apps. You don't need an app to take better selfies or give you a sparkly keyboard. If you want to download such nonsense then feel free, but realize you put yourself at a huge security risk by doing so.

The safest way to protect your data is to do nothing. Don't download that add on. Don't complete that KYC. Don't run that extension. The vast majority of data breaches are due to the user compromising their own security.

[Sohyun Park]

Three most important and basic things that can be done are:

• Storing funds offline. like in hardware wallet
• Do not store your passwords/phrases/2FA online
• Stop downloading unnecessary software and adding of extensions

Downloading of stupid software can insert malware in your system. Even if you delete the software later but, the malware won't be deleted.

[hugeblack]

You should be careful when it comes to cryptocurrencies because they can be used globally so all the Hackers from all over the world will try to hack you.
 
 - Don’t download programs from random sources or try to crack them: This includes the operating system, websites and others.
 - Air-gap Pc: secure environments (open source) & offline pc.

When downloading add-ons you should keep in mind that these versions are constantly updated because some legitimate programs have many back doors, lack of update from the developer makes you vulnerable to penetration.

[Malvika_sitlani]

There are so many things you can follow but I personally follow these below things for my self-

• Don't share your btc address with anyone.
• Always upgrade the software and use the new browser extension.
• Always try to use the tools which give you better user experience.
• Always try to use the tools which give you better user experience.
• Don't trust on social media recommendations.
• Try to activate your 2FA if any exchange ask you to register your phone number.
• Don't click on any email blindly.

[rearwheels]

I would also recommend to store private key from your wallet outside your computer and smartphone. Make some copies and store securely.

[o_e_l_e_o]

Don't share your btc address with anyone.

Sharing an address is fairly harmless. There's not much someone can do to target you or steal your coins with just an address.

Always try to use the tools which give you better user experience.

Completely disagree. The problem is many users will download any old app or extension which promises them a better camera, nice wallpapers, faster this, smoother that, without paying any attention to what the app/extension actually does or what permissions it asks for. Downloading any old thing which promises a better "user experience" will eventually cause you to be scammed or hacked.

Try to activate your 2FA if any exchange ask you to register your phone number.

Don't register your phone number, and don't use your phone number (either calls or texts) as 2FA. SIM jacking is not that difficult to achieve, and renders your 2FA useless. Use Authy or AndOTP instead.

[prix]

Don't share your btc address with anyone.

Sharing an address is fairly harmless. There's not much someone can do to target you or steal your coins with just an address.

This is about targeted attacks. The larger the value associated with this address the more willing to do targeted attack on the holder. And if somebody use only one address (or linked addresses) then sometimes you can get additional information from the blockchain, for example, what exchanges/services it uses. And use this information in targeted attacks. Therefore, if you want to specify an address, it is preferably empty and which is not associated with other significant addresses.

In general there have already been many similar topics. It's not just about browser extensions. You need to understand in general that the less used applications/services on the computer/phone the safer. Exceptions may be only for services that provide protection: virtual machines/sandboxes, firewalls, hips, etc. And even in this case you need to understand what you are installing and why.
If you need a lot of apps and you cannot do without it then think about a dedicated laptop/phone for financial affairs.

And this is just a small part of what needs to be done. An integrated approach is needed from setting up a router to hygiene in the internet.

[mk4]

This is about targeted attacks. The larger the value associated with this address the more willing to do targeted attack on the holder. And if somebody use only one address (or linked addresses) then sometimes you can get additional information from the blockchain, for example, what exchanges/services it uses. And use this information in targeted attacks. Therefore, if you want to specify an address, it is preferably empty and which is not associated with other significant addresses.

o_e_l_e_o's point still stands though. It's still fairly harmless in a security perspective(besides personal privacy). How can a hacker spearhead attack an address? It's not like a hacker can send a phishing email to a bitcoin address. The best that an individual can do is to track where the coins are going, and it pretty much ends there. Only the centralized services that's used can affiliate the addresses with an actual person. Of course unless, the user exposes his/her own identity by does something like send the coins to an address that's publicly affiliated to him/her(e.g. a bitcoin address on the person's personal Twitter bio).

[prix]

o_e_l_e_o's point still stands though. It's still fairly harmless in a security perspective(besides personal privacy). How can a hacker spearhead attack an address? It's not like a hacker can send a phishing email to a bitcoin address. The best that an individual can do is to track where the coins are going, and it pretty much ends there. Only the centralized services that's used can affiliate the addresses with an actual person. Of course unless, the user exposes his/her own identity by does something like send the coins to an address that's publicly affiliated to him/her(e.g. a bitcoin address on the person's personal Twitter bio).

This is not a direct attack on the address. It's about disclosing financial information about a person.
The attacker will be interested in this person, will begin to collect information. Do you think it is difficult to reveal the identity of an active cryptocurrency user for a professional hacker?
Further, you can get a full range of attacks including phishing emails and messages, attack on your services and routers, attack on exchanges and mobile operator, email providers, including physical attacks.
As a minimum, I know two cases in my country when they physically attacked crypto holders because they shown their crypto wealth. And about centralized services. In the darknet you can buy a bunch of information about a person. There are always some leaks. For example, in my country you can get an address, coordinates of movement for the past six months on cell towers, bank accounts, mobile phone numbers, passport scans, etc. As far as I know, in other countries the situation is not much better.
The same goes for crypto. Some exchanges have already closed and the data has been sold, there have been leaks of KYC-data, there are no guarantees that this will not happen in the future. Today you trust the exchange/service and passed the KYC, tomorrow they sold your data (email, KYC, ips) or lost during the hack.
For example, one of my emails leaked from a closed exchange (I used that address only for this exchange). And after that phishing emails began to come to that email.

Can a crypto user be sure that he has not left enough leads to reveal personally? No. So why give extra information about your wealth?

Therefore, the general advice is don't show the address.
If you are a paranoid who is surrounded by defenses, who uses tails, tor, signal etc. - please, your business.
But for the average joe the advice is the same - do not show the address with significant funds or which can lead to them.

[o_e_l_e_o]

Further, you can get a full range of attacks including phishing emails and messages, attack on your services and routers, attack on exchanges and mobile operator, email providers, including physical attacks.

Only if you have been irresponsible enough to disclose that information as well.

Let's say someone shares an address. The address has only had well mixed funds deposited in to it, so you can't trace it to any other service. The person sharing the address has never disclosed their name, address, age, gender, city, country, or any other physical information. They have never undergone KYC anywhere. They have never shared an email address or a phone number, and doesn't have any social media presence whatsoever. They only connect via VPN or Tor, so and IP information you have on them doesn't lead anywhere either.

If you can access any of the other information I have listed above, then that is where the security risk lies. Sharing an address might make you a target, or might compromise your privacy, but an attacker can achieve nothing with an address on its own. If have been careless enough to give away your phone number, email, physical location, and so forth, then that's the security risk.

[prix]

Sharing an address might make you a target, or might compromise your privacy, but an attacker can achieve nothing with an address on its own.

So that's the point. No one has argued otherwise.

Let's say someone shares an address. The address has only had well mixed funds deposited in to it, so you can't trace it to any other service. The person sharing the address has never disclosed their name, address, age, gender, city, country, or any other physical information. They have never undergone KYC anywhere. They have never shared an email address or a phone number, and doesn't have any social media presence whatsoever. They only connect via VPN or Tor, so and IP information you have on them doesn't lead anywhere either.

How large a percentage of crypto users fit this description? I don’t know ... every 100 thousandth?
We can discuss some abstract situation for a long time, but I suggest returning to a regular crypto user for whom these tips are given. Which uses the telegram (where recently it was easy to get the phone number by his name through contact book "hole"), which is registered on exchanges or ICOs with KYC, which can leave various traces leading to his name and surname or other private info... These tips are for him not for abstract full anonymous user (who already knows what and how to do without any tips).

[o_e_l_e_o]

So that's the point. No one has argued otherwise.

We have misunderstood each other then. As I said initially, there's not much someone can do to steal your coins with just an address. It's all the other things and sensitive data that people are usually very careless with which puts them at risk.

These tips are for him not for abstract full anonymous user (who already knows what and how to do without any tips).

Fair point. I would argue, though, that instead of giving the advice to not share your address, we should be instead giving the advice to stop splashing your personal details all over the internet. I could share addresses all day long and there is nothing you could do with them without also having my personal information. Conversely, if I were to share my personal information all day long, and I would become a target not just for crypto scams, but for all scams and identity theft, with or without any shared addresses. There's little point keeping your addresses secure if you are willing to post your real name, email, phone number, Facebook and Twitter accounts all over a public forum for the sake of some ICO or bounty.