A flaw in Google Chrome earlier this year allowed North Korean hackers to attack the cryptocurrency industry.
This time, the bug is not Google Chrome itself, but a plug-in feature.
Twitter user @Wallet_guard, who specializes in Web3-related security, revealed that hackers were using a Google Chrome plugin called “Google Sheets” to steal crypto assets by impersonating the original Google spreadsheet (Sheets) app.
But savvy readers will spot the flaw: “The fake Google Sheets icon comes with Docs and Slides, and the real spreadsheet feature will only be presented as’ Sheets’, not ‘Google Sheets’.”
How did the fake “Google Sheets” get in and steal the victim’s money?
The fake plugin works by writing a script so that when your browser goes to an exchange like Coinbase, Kucoin, Binance, and Gate.io, it learns from the page’s file object model that a particular field is the transfer address.
As soon as you enter the correct address, or even double-check it, it will switch it to the address it already has before you send it out.
This allows you to be deceived without immediately knowing it.
Interestingly, @wallet_guard has noticed that Kucoin has been able to block plugin functionality in some cases, without knowing why.
Then @wallet_guard deliberately set the bait and successfully hooked it, further tracking the money movement of the fraudsters.
He noticed the money flow, bait into x1PyDr1WBtFHyBJ5f2yrqss68ybtnwqseUvRaPzv3 wallet after 0,
Again to 0 x47db3QZLa5sGTcdvn27jHpeNYPoGZtfB1JpDnPa7, 0 x7483QZLa5sGTcdvn27jHpeNYPoGZtfB1JpDnP853 and online Banks.
However, it is not yet known which bank the transfer is to.
If you are not sure whether your plug-in function will be “backdoor”, you can right click “Plug-in function”, click the management page, to view the source code of the plug-in, and notice if the source code will appear as shown in the figure below.
But more importantly, don’t install plugins from unknown sources, especially if they’re not available on Google’s official app Store, and make sure they’re safe.