Discovering Fake Browser Extensions That Target Users of Ledger, Trezor, MEW, Metamask, and More

Using a familiar phishing method to target new brands.

Harry
Harry
Apr 14, 2020 · 7 min read
Image for post
Image for post
This investigation was carried out by MyCrypto and PhishFort

Motivation and Purpose

Image for post
Image for post
An example of a malicious extension being delivered via Google Ads

Overview

Image for post
Image for post
Image for post
Image for post
A collage of reviews on various malicious extensions

Where did the stolen funds go?

How can I stay safe?

IOCS

afephhbbcdlgdehhddfnehfndnkfbgnm
agfjbfkpehcnceblmdahjaejpnnnkjdn
ahikdohkiedoomaklnohgdnmfcmbabcn
ahlfiinafajfmciaajgophipcfholmeh
akglkgdiggmkilkhejagginkngocbpbj
anihmmejabpaocacmeodiapbhpholaom
bhkcgfbaokmhglgipbppoobmoblcomhh
bkanfnnhokogflpnhnbfjdhbjdlgncdi
bpfdhglfmfepjhgnhnmclbfiknjnfblb
bpklfenmjhcjlocdicfadpfppcgojfjp
ckelhijilmmlmnaljmjpigfopkmfkoeh
dbcfhcelmjepboabieglhjejeolaopdl
dbcfokmgampdedgcefjahloodbgakkpl
ddohdfnenhipnhnbbfifknnhaomihcip
dehindejipifeaikcgbkdijgkbjliojc
dkhcmjfipgoapjamnngolidbcakpdhgf
effhjobodhmkbgfpgcdabfnjlnphakhb
egpnofbhgafhbkapdhedimohmainbiio
ehlgimmlmmcocemjadeafmohiplmgmei
epphnioigompfjaknnaokghgcncnjfbe
gbbpilgcdcmfppjkdociebhmcnbfbmod
glmbceclkhkaebcadgmbcjihllcnpmjh
gpffceikmehgifkjjginoibpceadefih
idnelecdpebmbpnmambnpcjogingdfco
ifceimlckdanenfkfoomccpcpemphlbg
ifmkfoeijeemajoodjfoagpbejmmnkhm
igkljanmhbnhedgkmgpkcgpjmociceim
ijhakgidfnlallpobldpbhandllbeobg
ijohicfhndicpnmkaldafhbecijhdikd
jbfponbaiamgjmfpfghcjjhddjdjdpna
jfamimfejiccpbnghhjfcibhkgblmiml
jlaaidmjgpgfkhehcljmeckhlaibgaol
kjnmimfgphmcppjhombdhhegpjphpiol
lfaahmcgahoalphllknbfcckggddoffj
mcbcknmlpfkbpogpnfcimfgdmchchmmg
mciddpldhpdpibckghnaoidpolnmighk
mjbimaghobnkobfefccnnnjedoefbafl
mnbhnjecaofgddbldmppbbdlokappkgk
nicmhgecboifljcnbbjlajbpagmhcclp
njhfmnfcoffkdjbgpannpgifnbgdihkl
noilkpnilphojpjaimfcnldblelgllaa
obcfoaeoidokjbaokikamaljjlpebofe
oejafikjmfmejaafjjkoeejjpdfkdkpc
ogaclpidpghafcnbchgpbigfegdbdikj
opmelhjohnmenjibglddlpmbpbocohck
pbilbjpkfbfbackdcejdmhdfgeldakkn
pcmdfnnipgpilomfclbnjpbdnmbcgjaf
pedokobimilhjemibclahcelgedmkgei
plnlhldekkpgnngfdbdhocnjfplgnekg
http://ledgerwallet.xyz/api.php
https://v1.ledgers.tech
https://coinomibeta.online/post/connexion.php
https://completssl.com/functions.php
https://completssl.com/ssnd_1.php
https://completssl.com/ssnd_el.php
https://completssl.com/ssnd_ex.php
https://completssl.com/ssnd_t.php
https://cxext.org/6721e14f0257a64f1f0a9114197d59ba/
https://docs.google.com/forms/d/1PXmiKeuYFdNS8D1q5yU1Cb7_9TwZQMbMCTl2PfSYhLI/formResponse
https://docs.google.com/forms/d/e/1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ/formResponse
https://docs.google.com/forms/d/e/1FAIpQLScuQg9Rpct1ahMotYT12xBAt3MmcubQg-duV1a0BZ_vo1Tj4g/formResponse
https://ledger.productions/api_v1/
https://mecxanalytic.co/api_keystore.php
https://mecxanalytic.co/api_mnemonic.php
https://mecxanalytic.co/api_private.php
https://trxsecuredapi.co/api_ledger.php
https://usermetrica.org/api_v1/
http://vh368451.eurodir.ru/api/v1/
https://walletbalance.org/api_v1/
ws://analytics-server296.xyz:4367

Talk To Us & Share Your Thoughts

MyCrypto

The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store