Google recently removed 49 phishing Google Chrome web browser extensions after receiving reports about their activity.

Harry Denley, director of security at cryptocurrency wallet startup MyCrypto, explained in an April 14 Medium post how he got the extensions removed from Chrome’s store within 24 hours with the help of phishing-specialized cybersecurity firm PhishFort. 

The removed extensions include ones that targeted the owners of hardware wallets produced by Ledger, Trezor and KeepKey, and users of software wallets Jaxx, MyEtherWallet, Metamask, Exodus and Electrum.

The extensions triggered the users to enter the credentials needed to access the wallet — such as mnemonic phrases, private keys and keystore files — and sent them to bad actors. Hackers were then able to steal the crypto assets contained in the wallets.

Some of the extensions also had fake five-star ratings in the Chrome extension store, but the reviews contained little to no info ranging from “good,” “helpful app” to “legit extension.” 

One of the extensions reportedly had the same review copied and pasted eight times by different users. The copypasta included an introduction to Bitcoin (BTC) and explained why MyEtherWallet — the extension’s targeted wallet — was the preferred wallet option. It is worth noting that MyEtherWallet does not actually support Bitcoin.

One bad actor controlled most extensions

The investigation uncovered 14 control servers behind all the extensions, but fingerprinting analysis revealed that some of the servers were managed by the same bad actors, with the oldest domain being linked to many other control servers. Denley subsequently concluded that the same bad actors were behind most of the extensions.

Some of the domains used in the phishing campaigns were relatively old, but 80% of them were registered in March and April 2020. Most of the extensions were published on Chrome’s store this month.

Not the first phishing extensions targeting crypto users

This is not the first time that the community has discovered a malicious Google Chrome browser extension targeting crypto users. As Cointelegraph reported in late March, a Redditor warned the community that he lost some crypto assets after falling victim to a fake Ledger extension.

Google Chrome extensions targeting crypto users are so common, that earlier this month MyEtherWallet warned its user that its official extension was removed for allegedly containing malware. Fortunately, the extension was restored shortly after the team contacted Google to solve the issue.

Brett Callow, threat analyst at cybersecurity firm Emsisoft shared some advice on how to avoid falling victim to such phishing attempts:

"Security products may detect malicious extensions, but the first line of defence should always be common sense. The best advice is to only install extensions from official stores and to do a little research prior to installing them. If a website randomly prompts you to ‘Click ‘allow' to continue downloading an important browser update,’ just close the page.”