Fake Google Sheets Extension - Scammed | Last Update!

[Ultegra134]

This thread is a follow-up of the previous thread I created, regarding a lost XRP deposit. For those who haven't read it and have limited time, I'll summarize.

(https://bitcointalk.org/index.php?topic=5408926.0)

I tried depositing XRP from Kraken to Binance, my deposit was never credited to my account and got me frustrated, thinking I've done something wrong. After several users suggested, I contacted Binance, and they told me that this wasn't their XRP address and recommended me to install Binance's app on my phone. To my surprise, the address I had on my phone was different from the one in my computer. Same thing occurred if I tried depositing other coins, such as BTC or ETH. I was baffled, the support agent mentioned that it's probably a malware on my computer.

I started with antivirus scans using Windows Defender and Malwarebytes, however, both showed no results. A few users suggested that it could be an extension on Chrome, decided to check, but nothing looked suspicious at first.

Google Sheets, Zen Mate, Ublock, Grammarly etc… Nothing suspicious, right? Except the fact that I don't recall installing the Google Sheets extension, but didn't think much of it, since I use Google services a lot (Drive, Docs, Excel), but noticed that for some strange reason, the name was grayed out, but the other extensions weren't.

I deleted the extension and Binance is now showing the proper address. Upon further investigation and opening its source file, it has a Javascript code that switches coin addresses with the scammer's address. On top of that, whenever I searched the scammer's XRP or BTC address, the tab would crash.





The issue is that I don't recall installing something like this on my own, unless it popped up and accepted its installation without realizing it. The extension's folder was created on 23/07/2022, it's relatively new and can't remember if I downloaded any pirate software or what else.

This time I was extremely lucky, because a few days ago I was actually planning on moving my funds from Binance in an attempt to find a better APY. Chances are, that I would have lost my money.

[Stalker22]

This time I was extremely lucky, because a few days ago I was actually planning on moving my funds from Binance in an attempt to find a better APY. Chances are, that I would have lost my money.

Damn! So my initial suspicion was correct. Yes, I think you were very lucky considering how small the amount was. For this reason, it is always a good idea to proceed each serious transaction with a smaller one to ensure that the funds will reach the intended destination.

Good detective work, by the way. It is too bad you could not figure out where you downloaded the extension to your browser. Who knows, there may even be different extensions infected with malware. Does anyone know why the extension name was greyed out?

[khaled0111]

Thank you for the warning OP. I would've never suspected the Google sheet extension to be the malware responsible for changing addresses.
btw, if an extension is grayed out doesn't that mean it's been disabled by the navigator?
This malware seems more dangerous even than the clipboard hijacker malware because it changes the actual address from source and therefore there is no way you would suspect it's been changed.

I would wipe out my computer's hard drive and reinstall the OS if I were you, though!

[Ultegra134]

Thank you for the warning OP. I would've never suspected the Google sheet extension to be the malware responsible for changing addresses.
btw, if an extension is grayed out doesn't that mean it's been disabled by the navigator?
This malware seems more dangerous even than the clipboard hijacker malware because it changes the actual address from source and therefore there is no way you would suspect it's been changed.

I would wipe out my computer's hard drive and reinstall the OS if I were you, though!

This time I was extremely lucky, because a few days ago I was actually planning on moving my funds from Binance in an attempt to find a better APY. Chances are, that I would have lost my money.

Damn! So my initial suspicion was correct. Yes, I think you were very lucky considering how small the amount was. For this reason, it is always a good idea to proceed each serious transaction with a smaller one to ensure that the funds will reach the intended destination.

Good detective work, by the way. It is too bad you could not figure out where you downloaded the extension to your browser. Who knows, there may even be different extensions infected with malware. Does anyone know why the extension name was greyed out?

My best guess is because it's not an actual functioning extension. A quick look at its main manifest.json file shows you what details it can present. If you click on any other extension, it opens up the extension or its settings (Metamask wallet opens wallet, Grammary opens up preferences etc.), the fake Google Sheets one didn't have an actual menu, thus, it doesn't have anything to open and appears grayed out.

[RikandMorty1]

Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.

[coin-investor]

After this post, I immediately checked all my extensions and checked if there are extensions that are on it that I don't remember putting in my browser, everybody should know this, and riskier because they cannot be traced by anti-virus, if you haven't done an extensive review of your extensions you will not know this, because all this time we trust everything that comes from Google, I wonder is it really coming from Google, I'm sure its not.

[Ultegra134]

Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.

Nope, it's not the well-known clipboard virus. It actually displayed the scammer's addresses instead of the actual ones. Binance's support agent was genuinely frustrated at first. This is before deleting the extension.



And this is after deleting it, displaying the address support indicated as theirs.

[robelneo]

Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.

Nope, it's not the well-known clipboard virus. It actually displayed the scammer's addresses instead of the actual ones. Binance's support agent was genuinely frustrated at first.

You have the whole community thanking you for not giving up and taking the time and effort to check your machine, if this was not caught by your anti-virus then everybody here is at risk if they are not checking the address, this is another scheme by hackers to steal coins, awareness is the key when transacting, you have to not only double check but triple check on addresses, we never know if we have this, even if we have these popular antiviruses.

[Lucius]

From what you wrote, it seems that you use certain security solutions, the only question is, do you have proactive protection when it comes to Malwarebytes and do you use any other AV besides Windows defender? There is no doubt that this malware somehow found a way to get into your computer, the only question is how?

I always rely on premium security software with an always updated OS and I don't download any suspicious files, but sometimes it seems that even that is not enough to protect against infection. From your example, maybe we can learn that we should check the extensions we have in the browser as often as possible, and that maybe we should avoid Chrome and use some other browsers like Firefox, which is much better when it comes to privacy anyway.

[Ultegra134]

From what you wrote, it seems that you use certain security solutions, the only question is, do you have proactive protection when it comes to Malwarebytes and do you use any other AV besides Windows defender? There is no doubt that this malware somehow found a way to get into your computer, the only question is how?

I always rely on premium security software with an always updated OS and I don't download any suspicious files, but sometimes it seems that even that is not enough to protect against infection. From your example, maybe we can learn that we should check the extensions we have in the browser as often as possible, and that maybe we should avoid Chrome and use some other browsers like Firefox, which is much better when it comes to privacy anyway.

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

[dkbit98]

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

You could start by switching from using Chrome to Firefox browser or even better Firefox fork called Librewolf browser.
Next step you could take is switching from wiNd0ws to Linux os like Fedora or Debian, so you won't need to install any antivirus software that is mostly just security theater.
I would avoid installing many extensions and I would be careful installing anything on my computer especially pirated software, but risk would be much lower with Linux.

[decodx]

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I haven't found any information online about this malicious extension, so it's likely that it's relatively new. I found some similar extensions that have been used to steal user's data and they are mostly spread through illegally obtained programs (from a pirated source). Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

[Lucius]

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I can't claim that having Malwarebytes Premium would have helped in your case, but I've been using it for years in combination with a respectable antivirus package and I don't remember the last time I had problems with viruses/malware. It is possible that this malware can still get past any protections, but it is possible that some premium protection would warn you about this problem and put that file in quarantine.

To begin with, try to change your browser, and then do not download any pirated content - because there is really no need for that, given that very cheap licenses for the most popular software can be found on the Digital goods board of our forum.

[Ultegra134]

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I haven't found any information online about this malicious extension, so it's likely that it's relatively new. I found some similar extensions that have been used to steal user's data and they are mostly spread through illegally obtained programs (from a pirated source). Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

Neither have I, it's frustrating. I could have never imagined that I'd have a malicious extension swapping coin addresses. I'll take a look through my downloads to see if I find anything suspicious.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

You could start by switching from using Chrome to Firefox browser or even better Firefox fork called Librewolf browser.
Next step you could take is switching from wiNd0ws to Linux os like Fedora or Debian, so you won't need to install any antivirus software that is mostly just security theater.
I would avoid installing many extensions and I would be careful installing anything on my computer especially pirated software, but risk would be much lower with Linux.

I would, but Chrome is synchronizing everything through my Gmail account, something I find extremely convenient.

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I can't claim that having Malwarebytes Premium would have helped in your case, but I've been using it for years in combination with a respectable antivirus package and I don't remember the last time I had problems with viruses/malware. It is possible that this malware can still get past any protections, but it is possible that some premium protection would warn you about this problem and put that file in quarantine.

To begin with, try to change your browser, and then do not download any pirated content - because there is really no need for that, given that very cheap licenses for the most popular software can be found on the Digital goods board of our forum.

Coincidentally, I have Malwarebytes' premium trial for the past few days, and it didn't help.

[fortunecrypto]

Coincidentally, I have Malwarebytes' premium trial for the past few days, and it didn't help.

This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware I have Kaspersky and Avira here and checking my extensions so far there is none in my extensions like what you've discovered if you are just a user and you just rely on anti-virus you have this then how can you trust these anti-viruses, we have been like this because these anti-viruses promised to take care care of everything all we have to do is just upgrade tot heir premium plan.

[vv181]

Did you ever take a look at the extension setting page? If I'm not mistaken, on Chrome, you can see the Chrome Web Store page for every installed extension, maybe the fake extension information is listed over there. I tried to look it up but couldn't find any. If there is, the scam extension should be reported.

[Stalker22]

Did you ever take a look at the extension setting page? If I'm not mistaken, on Chrome, you can see the Chrome Web Store page for every installed extension, maybe the fake extension information is listed over there. I tried to look it up but couldn't find any. If there is, the scam extension should be reported.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out. OP said he installed some pirated software lately. In my experience, this is a very common way to get infected with malicious software and browser extensions.

Do not install programs from unofficial sources. They can give you more than you bargained for. 

[Lucius]

This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware...

The OP activated Premium protection only after he discovered the malware, and I guess it's logical that MB couldn't even protect him from the infection after it happened. Of course, the question arises as to how well programs like MB and various AVs are able to detect this kind of malware and prevent it from infecting the system.

I did a little research and found that Opera browser is the first to develop some kind of protection against clipboard malware and I can say that it works. After you copy the Bitcoin address, a pop-up appears with a message that the address has been copied and protected. Perhaps we can expect a similar feature on other browsers as well.

https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/

[Pmalek]

Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

OP mentioned that Adobe Lightroom was downloaded several days after the extension was created. It's unlikely that software is the culprit. But I would try to retrace all my steps days before the extension was created. Maybe OP was visiting some new websites or giving them certain permissions that might have installed that extension on his PC. If he downloaded a pirated app, chances are OP has done so in the past as well.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out.

You are right about that. This Google support article confirms that:

Extensions that have not been published on the Chrome Web Store are grayed out and you won't be able to turn them back on.

However, the interesting part is that greyed out extensions should also be disabled because Google mentions that if you want to use a greyed out extension, you need to contact the developer and ask them to upload it in the Chrome Web Store. In OP's case, the extension was still working even when it was greyed out.

[Ultegra134]

This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware...

The OP activated Premium protection only after he discovered the malware, and I guess it's logical that MB couldn't even protect him from the infection after it happened. Of course, the question arises as to how well programs like MB and various AVs are able to detect this kind of malware and prevent it from infecting the system.

I did a little research and found that Opera browser is the first to develop some kind of protection against clipboard malware and I can say that it works. After you copy the Bitcoin address, a pop-up appears with a message that the address has been copied and protected. Perhaps we can expect a similar feature on other browsers as well.

https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/

Malwarebytes Premium was present when the extension was installed, however, it did nothing to protect from it. My best guess is that it's a new type of thing going on. On the other hand, Opera might be less susceptible to such extensions, however, before it happened to me, I had only heard about the copy-pasting malware. Displaying a whole new address, though, is way out of the ordinary.

Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

OP mentioned that Adobe Lightroom was downloaded several days after the extension was created. It's unlikely that software is the culprit. But I would try to retrace all my steps days before the extension was created. Maybe OP was visiting some new websites or giving them certain permissions that might have installed that extension on his PC. If he downloaded a pirated app, chances are OP has done so in the past as well.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out.

You are right about that. This Google support article confirms that:

Extensions that have not been published on the Chrome Web Store are grayed out and you won't be able to turn them back on.

However, the interesting part is that greyed out extensions should also be disabled because Google mentions that if you want to use a greyed out extension, you need to contact the developer and ask them to upload it in the Chrome Web Store. In OP's case, the extension was still working even when it was greyed out.

That's correct, Adobe Lightroom was downloaded after the extension's installation/creation. I can't recall if I had downloaded something else, and is now deleted. It's surprising that even though the extension was supposed to be disabled, it run perfectly fine.