MEGA has given details of a targeted attack, in which hackers managed to upload a malicious version of its Chrome browser extension to Google’s Web Store. For five hours, any user who ran the official installer had their accounts compromised.
Services affected include popular cryptocurrency wallet services MyEtherWallet (MEW), MyMonero, and decentralized asset exchange IDEX. Tech giants Amazon, Microsoft, and Google were also specifically targeted. There is currently no reliable information regarding how many accounts were directly compromised.
What’s curious is that MEGA seem to be implying that this is the result of a hacked Google account. An attacker was somehow able to use an official login to push an update that was laced with cryptocurrency-stealing malware. MEGA also notes that the stolen data appeared to be en route to a server in the Ukraine.
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (read and change all your data on the websites you visit) that MEGA’s real extension does not require,” reads the statement. “Please note that if you visited any site or made use of another extension that sends plain-text credentials […] while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
MyEtherWallet (MEW), in particular, is no stranger to these attacks. Over a seven month period, it fell victim to a series of hacks. First, users were targeted by tricksters who had uploaded a fake app, pre-loaded with dodgy private keys. Then, users were duped into visiting a hacked version of the website that saw more than 200 ETH ($56,000) stolen directly from user wallets.
This also isn’t the first time hackers have managed to pull off a scheme such as this.
The same thing has happened to Hola’s Chrome extension. Customers of the popular streaming service were treated to a hacked version of its browser extension, which was found to contain a backdoor like the one just found in MEGAs.
Again, for five hours, any user who used MEW while running Hola’s Chrome extension had their private keys completely compromised, and were urged to move their funds as soon as possible.
Is no browser extension safe?
Exactly how it all happened is not immediately clear. MEGA’s official statement signs off by stating it is “currently investigating the exact nature of the compromise of our Chrome webstore account,” so I guess we’ll just have to wait and see what internal investigations reveal.
(Edit: This post has been updated to properly reflect the malicious app was uploaded to the Google Chrome Web Store, not its Play Store, as was originally reported.)
Published September 5, 2018 — 09:52 UTC