Cybersecurity Company SlowMist Exposes Truth Chrome Malicious Extension Stealing Millions of Dollars

Recently, users in the encryption community suffered significant financial losses by downloading the malicious Chrome extension Aggr, which has attracted widespread attention. In order to help users better understand the risks of browser extensions and enhance their own security protection capabilities, the SlowMist security team analyzed the malicious behavior of this extension in detail and provided practical security recommendations.

Toggle
Community Warning Sparks Concern
Analysis by the SlowMist Security Team
1. What is a Chrome extension?
2. What are the functions of Chrome extensions?
3. What permissions do Chrome extensions have after installation?
4. Why can malicious Chrome extensions steal user permissions?
5. How do malicious extensions steal user permissions and funds?
6. What can malicious extensions do after stealing cookies?
Countermeasures
Countermeasures for individual users
Platform risk control recommendations
On June 3, 2024, Twitter user @CryptoNakamao posted about their experience of losing $1 million due to downloading the malicious Chrome extension Aggr. This incident quickly sparked widespread discussions in the encryption community, with users expressing concerns about extension risks and the security of their encrypted assets.

On May 31, the SlowMist security team released a detailed analysis report on the Aggr extension, revealing its malicious behavior. Through a Q&A format, this article helps users understand the basics and potential risks of Chrome extensions and provides countermeasure recommendations.

Chrome extensions are plugins designed for the Google browser that can expand the browser’s functionality and behavior. They are typically built using web technologies such as HTML, CSS, JavaScript, etc., with main components including:
– manifest.json: the extension’s configuration file, defining basic information.
– background script: handling background tasks.
– content script: interacting with web pages.
– user interface: such as toolbar buttons, pop-up windows, etc.
Chrome extensions serve various purposes, including:
– Ad blocking: improving page loading speed and user experience, such as AdBlock.
– Privacy and security: enhancing user privacy and security, such as Privacy Badger.
– Productivity tools: increasing work efficiency, such as Todoist.
– Developer tools: providing debugging and development tools, such as React Developer Tools.
– Social media and communication: facilitating social media notifications, such as Grammarly.
– Web customization: customizing web appearance and behavior, such as Stylish.
– Task automation: assisting in automating repetitive tasks, such as iMacros.
– Language translation: real-time translation of web content, such as Google Translate.
– Cryptocurrency assistance: facilitating cryptocurrency transactions, such as MetaMask.
Chrome extensions may request permissions including:
–
: Access to all website content.
– tabs: Access to browser tab information.
– activeTab: Temporary access to the currently active tab.
– storage: Use of Chrome’s storage API.
– cookies: Access and modification of browser cookies.
– webRequest: Intercepting and modifying network requests.
– bookmarks: Access and modification of browser bookmarks.
– history: Access and modification of browser history records.
– notifications: Display desktop notifications.
– contextMenus: Adding custom menu items.
– geolocation: Access to user geolocation information.
– clipboardRead and clipboardWrite: Reading and writing clipboard content.
– downloads: Managing downloads.
– management: Managing other extensions and applications.
– background: Running tasks in the background.
– webNavigation: Monitoring and modifying browser navigation behavior.
While these permissions provide powerful functionality, they may also access sensitive user data.

Malicious extensions exploit the requested permissions to steal user information and authentication data, with specific methods including:
– Requesting extensive permissions, such as accessing all websites, reading and modifying tabs, accessing storage, etc.
– Manipulating network requests to intercept and modify them, stealing authentication information.
– Reading and writing page content by embedding code to read and modify page data.
– Accessing browser storage to retrieve sensitive information stored locally.
– Manipulating the clipboard to read and tamper with copied information.
– Impersonating legitimate websites to induce users to enter sensitive information.
– Running in the background for extended periods to monitor user activity and collect data.
– Managing downloads of malicious files that threaten system security.
The malicious extension Aggr used broad permissions (such as cookies, tabs,
, storage) to steal user permissions and funds through actions like:
– Simulating user logins to trading platform accounts.
– Unauthorized trading and fund transfers.
– Accessing and collecting sensitive information.
– Modifying account settings to control user accounts.
– Engaging in social engineering attacks to further obtain sensitive information.
Malicious extensions can use stolen cookies to perform actions like:
– Accessing account information.
– Conducting unauthorized transactions.
– Bypassing two-factor authentication to withdraw funds.
– Accessing and collecting sensitive information.
– Modifying account settings.
– Impersonating users for social engineering attacks.
– Enhancing personal security awareness: maintain a skeptical attitude.
– Installing extensions only from trusted sources: read user ratings and permission requests.
– Using a secure browser environment: avoid installing extensions from unknown sources.
– Regularly checking account activity: take immediate action upon discovering suspicious behavior.
– Using a hardware wallet: store large assets securely.
– Browser settings and security tools: reduce the risk of malicious extensions.
– Using secure software: detect and prevent malicious software.
– Enforcing two-factor authentication (2FA): ensure the security of user accounts.
– Session management and security: manage logged-in devices, implement session timeout policies.
– Strengthening account security settings: send security notifications, provide account freeze functionality.
– Enhancing monitoring and risk control systems: monitor user behavior, identify abnormal transactions.
– Providing users with security education and tools: popularize security knowledge, provide official security tools.
Balancing security and business needs, platforms must consider user experience while protecting user accounts and assets. The SlowMist security team recommends that users ask themselves if it is safe before installing software or plugins to prevent a story from turning into an accident. For more security knowledge, please read the SlowMist-produced “Blockchain Dark Forest Self-Rescue Manual”.