Hacked MEGA Chrome Extension was Used to Steal Cryptocurrency

Discussion in 'Lounge' started by anonzzz, 5 Sep 2018.

  1. anonzzz

    anonzzz Moderator

    Staff Member Lifetime Gold Gold Member No Limit
    Joined:
    13 May 2018
    Messages:
    1,224
    Likes Received:
    20,884
    Trophy Points:
    1,790
    Since a lot of us are using mega.nz, please be aware of this if you also use the chrome extension.

    https://www.ccn.com/hacked-mega-chrome-extension-was-used-to-steal-cryptocurrency/

    Hacked MEGA Chrome Extension was Used to Steal Cryptocurrency
    Chrome-desktop-760x400.jpg

    The Google Chrome extension for the popular file upload and sharing service MEGA has been compromised by hackers looking to steal login credentials and cryptocurrency keys, according to information from security researchers.

    The service, which was launched by Kim Dotcom in 2013 after the demise of MegaUpload, has had its Chrome extension removed from the Chrome Web Store presently.

    SerHack was the first researcher to sound the alarm, warning in a tweet on September 4 that version 3.39.4 of the extension was hacked, and potentially harvesting user information including usernames and passwords from a number of platforms including Amazon, Github, Google and Microsoft.

    View image on Twitter
    DmRB2ciWwAEyV-j?format=jpg&name=small.jpg
    a57VhlLu_normal.jpg
    SerHack@serhack_

    !!! WARNING !!!!!!! PLEASE PAY ATTENTION!!

    LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.

    Version: 3.39.4

    It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz

    10:16 AM - Sep 4, 2018
    Twitter Ads info and privacy

    Stealing Login Information
    The compromised MEGA extension actively monitors user information stored in the browser, looking out for URL strings that indicate registration or login forms. The data on such forms is then sent to an unidentified host in Ukraine called https://www.megaopac.host/.

    The malicious code also monitors for specific URLs such as “https://www.myetherwallet.com/*”, “https://mymonero.com/*”, and “https://idex.market/*”. If saved information is detected, it then executes a javascript function that attempts to steal private crypto keys from logged in users.

    Confirming the hack, MEGA released a statement that reads in part:

    “On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

    Google to Blame?
    In the statement released yesterday, MEGA blamed Google for removing their ability to sign extensions, making it easier for such incidents to take place.

    An excerpt from the statement reads:

    “We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.”

    Security researchers examining MEGA’s Firefox extension have seen no evidence of tampering, which would appear to support the claims in MEGA’s statement.

    Speaking to Bleeping Computer, SerHack who initially discovered the hack advised all Chrome MEGA users to uninstall the extension immediately. He also said that such users should immediately change all their passwords on any account they may have used on the browser, especially accounts relating to financial or government information.

    CCN earlier reported that cybercriminals are continuously developing new ways to illegally acquire cryptocurrency, moving from cryptojacking to sim swapping amongst other tactics.

    Featured image from Shutterstock.
     
    Last edited: 5 Sep 2018
  2. felixfischer

    felixfischer Master

    No Limit
    Joined:
    29 Mar 2018
    Messages:
    220
    Likes Received:
    9,688
    Trophy Points:
    823
    fuuuuuuk
     
  3. convectuoso

    convectuoso Moderator

    Staff Member Lifetime Gold Gold Member No Limit
    Joined:
    15 Feb 2018
    Messages:
    1,398
    Likes Received:
    62,421
    Trophy Points:
    6,123
  4. xtremecoder

    xtremecoder Master

    Lifetime Gold Gold Member No Limit
    Joined:
    7 Apr 2018
    Messages:
    1,068
    Likes Received:
    11,439
    Trophy Points:
    539
  5. DonAlderon

    DonAlderon Guest

    Pretty sure its happening again with mega.nz. How silly to keep using this service. our want is bigger than our need
     
  6. Andyw

    Andyw Silver II

    Joined:
    19 Apr 2020
    Messages:
    145
    Likes Received:
    389
    Trophy Points:
    10
    lots of other chrome extensions are dangerous too like the other day i had insta story download extension.. after clicking it pop message "use this program to download ig live story videos" and exe setup got downloaded and it was infected with virus... I uninstalled all similar extensions now:eek:
     
  7. ccdc

    ccdc New Member

    Restricted No Limit
    Joined:
    3 Apr 2020
    Messages:
    17
    Likes Received:
    5
    Trophy Points:
    3
    I wish mega wasnt even an option.. lots of security issues, the transfer limits stink, and have to install the app for large transfers.. overall just a clunky host in my opinion... workupload is the best I've found so far, but some users may not like splitting up compressed files due to their 2gb limit.

    I came across this file hosting site recently- https://anonfile.com/
    Has anyone used it or know if its a good host? Claims its totally anonymous (if you lose your password your just outta luck) and has a 20gb file size limit/unlimited bandwith. If it's legit it could be a great replacement for mega?
     
  8. ccdc

    ccdc New Member

    Restricted No Limit
    Joined:
    3 Apr 2020
    Messages:
    17
    Likes Received:
    5
    Trophy Points:
    3
    I use a lot of these extensions.. Mind sharing which one it was so I can delete it if I do have it?
     
  9. Andyw

    Andyw Silver II

    Joined:
    19 Apr 2020
    Messages:
    145
    Likes Received:
    389
    Trophy Points:
    10
    Its not possible to share exact link it might got deleted on chrome, it was called ig stories i think (users can download story videos by one click)
    Logo was similar to this one
     

    Attached Files:

  10. ccdc

    ccdc New Member

    Restricted No Limit
    Joined:
    3 Apr 2020
    Messages:
    17
    Likes Received:
    5
    Trophy Points:
    3
    yupi have that right now! deleting. thanks for the info!
     
Top