abstract

Characterizing Cryptocurrency-themed Malicious Browser Extensions

Authors:

Jin Song DongAuthors Info & Claims

SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

Pages 91 - 92

https://doi.org/10.1145/3578338.3593529

Published: 19 June 2023 Publication History

Abstract

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency-themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer.

References

[1]

CipherTrace. 2020. Cryptocurrency Crime and Anti-Money Laundering Report. https://ciphertrace.com/2020-year-end-cryptocurrency-crime-and-anti-money-laundering-report. (2020).

[2]

Coin98 Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/coin98-wallet/aeachknmefphepccionboohckonoeemg. (Visited in July 2022).

[3]

Coinbase. 2021. Coinbase Wallet introduces new browser extension. https://blog.coinbase.com/coinbase-wallet-introduces-new-browser-extension-dd067403b86. (2021).

[4]

Coinbase Exchange Extension. Visited in July 2022. https://chrome.google.com/webstore/detail/coinbase-wallet-extension/hnfanknocfeofbddgcijnmhnfnkdnaad. (Visited in July 2022).

[5]

Louis F. DeKoven, Stefan Savage, Geoffrey M. Voelker, and Nektarios Leontiadis. 2017. Malicious Browser Extensions at Scale: Bridging the Observability Gap between Web Site and Browser. In CSET.

[6]

EQUAL Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/equal-wallet/blnieiiffboillknjnepogjhkgnoapac. (Visited in July 2022).

[7]

Extension Deltas. Visited in July 2022. https://github.com/wspr-ncsu/extensiondeltas. (Visited in July 2022).

[8]

Fake Ledger Chrome Extension Crypto Scam May Have Stolen Up to $2.5M. 2020. https://www.financemagnates.com/cryptocurrency/news/fake-ledger-chrome-extension-crypto-scam-may-have-stolen-up-to-2-5m. (2020).

[9]

Google is banning all cryptomining extensions from its Chrome Web Store. 2020. https://techcrunch.com/2018/04/02/google-is-banning-all-cryptomining-extensions-from-its-chrome-web-store. (2020).

[10]

Google Removes 49 Phishing Extensions That Steal Cryptocurrency Data. 2020. https://cointelegraph.com/news/google-removes-49-phishing-extensions-that-steal-cryptocurrency-data. (2020).

[11]

Harry. Visited in July 2022. https://medium.com/mycrypto/discovering-fake-browser-extensions-that-target-users-of-ledger-trezor-mew-metamask-and-more-e281a2b80ff9. (Visited in July 2022).

[12]

Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In USENIX Security 14. 641--654.

[13]

keraf. Visited in July 2022.: https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt. (Visited in July 2022).

[14]

KuCoin:Bitcoin,Dogecoin Price Market. Visited in July 2022. https://chrome.google.com/webstore/detail/kucoinbitcoindogecoin-pri/nalaeminfbmmidadoaegigajbapfajgi. (Visited in July 2022).

[15]

Dolière Francis Somé. 2019. EmPoWeb: Empowering Web Applications with Browser Extensions. In IEEE S&P. 227--245.

[16]

Stargazer Wallet. Visited in July 2022. https://chrome.google.com/webstore/detail/stargazer-wallet/pgiaagfkgcbnmiiolekcfmljdagdhlcm. (Visited in July 2022).

[17]

Kailong Wang, Yuxi Ling, Yanjun Zhang, Zhou Yu, Haoyu Wang, Guangdong Bai, Beng Chin Ooi, and Jin Song Dong. 2022. Characterizing Cryptocurrency-Themed Malicious Browser Extensions. Proc. ACM Meas. Anal. Comput. Syst., Vol. 6, 3 (2022), 31.

Digital Library

[18]

xd4rker. Visited in July 2022. https://github.com/xd4rker/MinerBlock/blob/master/assets/filters.txt. (Visited in July 2022).

Cited By

Alauthman MAl-Qerem AAlkasassbeh MAslam NAldweesh A(2024)Malware Threats Targeting Cryptocurrency: A Comparative Study2024 2nd International Conference on Cyber Resilience (ICCR)10.1109/ICCR61006.2024.10532846(1-8)Online publication date: 26-Feb-2024
https://doi.org/10.1109/ICCR61006.2024.10532846
Zheng XXia PWang KWang H(2023)ScamRadar: Identifying Blockchain Scams When They are PromotingBlockchain and Trustworthy Systems10.1007/978-981-99-8101-4_2(19-36)Online publication date: 25-Nov-2023
https://doi.org/10.1007/978-981-99-8101-4_2
Alauthman MAl-Qerem AAlkasassbeh MAslam NAldweesh A(2024)Malware Threats Targeting Cryptocurrency: A Comparative Study2024 2nd International Conference on Cyber Resilience (ICCR)10.1109/ICCR61006.2024.10532846(1-8)Online publication date: 26-Feb-2024
https://doi.org/10.1109/ICCR61006.2024.10532846

Index Terms

Characterizing Cryptocurrency-themed Malicious Browser Extensions
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Characterizing Cryptocurrency-themed Malicious Browser Extensions
SIGMETRICS '23

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of ...
Characterizing Cryptocurrency-themed Malicious Browser Extensions
POMACS

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of ...
Understanding Malvertising Through Ad-Injecting Browser Extensions
WWW '15: Proceedings of the 24th International Conference on World Wide Web

Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

June 2023

123 pages

ISBN:9798400700743

DOI:10.1145/3578338

General Chair:
Evgenia Smirni
William & Mary, US
,
Program Chairs:
Konstantin Avrachenkov
INRIA Sophia Antipolis, FR
,
Phillipa Gill
Google, US
,
Bhuvan Urgaonkar
Penn State University, US and Amazon, US

ACM SIGMETRICS Performance Evaluation Review Volume 51, Issue 1
SIGMETRICS '23
June 2023
108 pages
ISSN:0163-5999
DOI:10.1145/3606376
Editor:
Zhenhua Liu
Stony Brook University
Issue’s Table of Contents

Copyright © 2023 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 June 2023

Check for updates

Author Tags

Qualifiers

Abstract

Funding Sources

Ministry of Education - Singapore

Conference

SIGMETRICS '23

Sponsor:

SIGMETRICS

SIGMETRICS '23: ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

June 19 - 23, 2023

Florida, Orlando, United States

Acceptance Rates

Overall Acceptance Rate 459 of 2,691 submissions, 17%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
88
Total Downloads

Downloads (Last 12 months)69
Downloads (Last 6 weeks)2

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alauthman MAl-Qerem AAlkasassbeh MAslam NAldweesh A(2024)Malware Threats Targeting Cryptocurrency: A Comparative Study2024 2nd International Conference on Cyber Resilience (ICCR)10.1109/ICCR61006.2024.10532846(1-8)Online publication date: 26-Feb-2024
https://doi.org/10.1109/ICCR61006.2024.10532846
Zheng XXia PWang KWang H(2023)ScamRadar: Identifying Blockchain Scams When They are PromotingBlockchain and Trustworthy Systems10.1007/978-981-99-8101-4_2(19-36)Online publication date: 25-Nov-2023
https://doi.org/10.1007/978-981-99-8101-4_2
Alauthman MAl-Qerem AAlkasassbeh MAslam NAldweesh A(2024)Malware Threats Targeting Cryptocurrency: A Comparative Study2024 2nd International Conference on Cyber Resilience (ICCR)10.1109/ICCR61006.2024.10532846(1-8)Online publication date: 26-Feb-2024
https://doi.org/10.1109/ICCR61006.2024.10532846

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents