QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
UNKNOWN
MAY 2020
GLOBAL
METAMASK
DESCRIPTION OF EVENTS
MetaMask is a "crypto wallet & gateway to blockchain apps. Start exploring blockchain applications in seconds. Trusted by over 21 million users worldwide." "Available as a browser extension and as a mobile app, MetaMask equips you with a key vault, secure login, token wallet, and token exchange—everything you need to manage your digital assets."
"Since the introduction of the Chrome Web Store in 2011, it has become the largest catalog of browser extensions with over 200,000 available to all of our users. This has helped millions of users to customize their browsing experience on Chrome in ways we could have never imagined, from niche utilities to companies building businesses around the platform’s capabilities."
"As Cointelegraph reported in mid-April, Google removed 49 phishing Chrome web browser extensions after reports of malicious activity. In early March, leading cryptocurrency hardware-wallet producer Ledger warned its users about the phishing extensions on the store."
"[In late April], Google announced yet more restrictions aimed at cleaning up the Chrome Web Store, noting "the increase in adoption of the extension platform has also attracted spammers and fraudsters introducing low-quality and misleading extensions in an attempt to deceive and trick our users into installing them to make a quick profit.""
"In May 2020, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Ledger and MetaMask."
"Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users. In May 2020, a cybersecurity researcher discovered 22 malicious Google Chrome extensions imitating crypto services like Trezor’s rival Ledger and major Ether (ETH) wallet MetaMask."
"Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store."
"The extensions he discovered impersonated well-known crypto firms such as Ledger, KeepKey, MetaMask and Jaxx. Their purpose is to trick users into giving away the credentials needed to access their wallets."
"MEANWHILE, Google _keeps on approving phishers_. The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review. FURTHERMORE they are all allowed to buy premium Google ad space at the top of search results."
"Most of the phishing extensions have already been taken down as of press time. Per the report, most were down within 24 hours of Denley reporting them."
"Finlay told The Register that if Google wants to run the Chrome Web Store with few people, then they should implement systems to automatically enforce brand and trademark restrictions for the store and its ad platforms."
"I think it would be great for Google to make a stance of respecting trademarks in their ads, but I’m not sure if that runs counter to their business model," he said. "I sure hope Google doesn’t feel they need to protect phishing to stay afloat."
"Google's ad policy says the company will review trademark complaints from trademark holders, but only after receiving a complaint. Google's Chrome Web Store developer agreement forbids developers from violating intellectual property rights, which probably doesn't mean much to committed law-breakers. At the same time, it makes clear, "Google is not obligated to monitor the Products or their content.""
"Most of the phishing extensions have already been taken down as of press time. Per the report, most were down within 24 hours of Denley reporting them." "Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down."
In August 2020, "Google acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store."
Multiple malicious Chrome extensions attempting to impersonate the MetaMask wallet were found on the Google Play, and hundreds of users had downloaded them. The extensions, if used, would attempt to steal the 24 word seed phrase of new cryptocurrency users by tricking them into providing it. There is no report of any funds lost nor of any being recovered.
HOW COULD THIS HAVE BEEN PREVENTED?
Always check and visit the official website of a service. The majority of funds should be stored offline and not on a live wallet application. When setting up a new wallet or upgrading wallet software, never enter your pass phrase or send any funds without first transferring a smaller amount.
@Cointelegraph Twitter (Feb 25)
Trezor crypto wallet warns users of doppelgänger scam app on Google Play (Feb 25)
22 More Crypto-Stealing Google Chrome Extensions Discovered (Mar 2)
More crypto-stealing Chrome extensions swatted by Google – Naked Security (Mar 2)
@danfinlay Twitter (Mar 2)
https://metamask.io/ (Mar 6)
What is MetaMask? - YouTube (Mar 6)
https://pastebin.com/raw/33AJfKR3 (Mar 13)
@danfinlay Twitter (Mar 13)
Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims' passwords • The Register (Mar 13)
Chromium Blog: Keeping spam off the Chrome Web Store (Mar 13)
More fake digital currency wallets on Google taken down - CoinGeek (Mar 13)
https://www.crowdfundinsider.com/2020/05/161309-google-removes-22-malicious-chrome-browser-extensions-impersonating-widely-used-cryptocurrency-wallet-providers-like-trezor-ledger-metamask/ (Mar 13)
@myetherwallet Twitter (May 31)
@myetherwallet Twitter (May 31)
@danfinlay Twitter (May 31)
49 malicious Chrome extensions caught pickpocketing crypto wallets – Naked Security (Jul 2)
