Ethereum Warning: Ethereum Wallet Injects Malicious Javascript To Steal Data

An Ethereum wallet available as a Chrome browser extension has been found to be injecting malicious javascript code. ‘Shitcoin Wallet’ tries to scrape data from other open windows and send it to a remote server.



MyEtherWallet And Binance Among Those Targeted

The code was identified by security and anti-phishing expert, Harry Denley, who warned about the potential breach in a tweet.

⚠️ A browser crypto wallet is injecting malicious JS to steal secrets from @myetherwallet @idexio @binance @neotrackerio @SwitcheoNetwork Extension-native wallet create also sends secrets to their backend! Bad guys: erc20wallet[.]tk

ExtensionID: ckkgmccefffnbbalkmbbgebbojjogffn pic.twitter.com/TE2iw5d8Md — harrydenley.eth ◊ (@sniko_) December 31, 2019

The ‘Shitcoin Wallet’ Chrome extension (ExtensionID: ckkgmccefffnbbalkmbbgebbojjogffn) downloads a number of javascript files from a remote server.

This code looks for other browser windows, open on the webpages of a number of exchanges and Ethereum network tools. It then attempts to scrape data input into these windows and send it to a remote server, erc20wallet.tk.

‘.tk’ is the top-level domain address for Tokelau, a group of South Pacific islands which is a territory of New Zealand.

The code targets the websites of MyEtherWallet, IDEX, Binance, NEO Tracker, and Switcheo, specifically looking for passwords and private keys.

Ethereum Shitcoin Wallet Is Pretty Nasty!

According to its website, Shitcoin Wallet is available as a Chrome browser extension and a Desktop app for Windows, although goodness knows what additional mischief the app might get up to.

It claims to be ‘Covered By Insurance’, although of course this is not explained or substantiated further. The website also makes a big thing about your private key only being stored on your local PC, and not needing to ‘worry about assets loss due to any hacker attack to ShitcoinWallet servers.’

Riddled with grammatical and spelling errors, it suggests that users will ‘receive many tokens everyday by our team and our partners’. This includes an alleged, ‘AIRDROP 0.05 ETH FOR FIST (sic) 500 USERS’.

Finally, as a ‘Fun Fact’ it claims that ‘Shitcoin wallet is pretty good!’

Google Chrome Removes Meta Mask

Last year a number of Chrome browser extensions were identified which enabled cryptojacking, or the secret mining of cryptocurrency through a users machine.

Just last week, Google removed the Ethereum wallet app MetaMask from its Google Play App Store. The reason cited was that the app enabled cryptocurrency mining on mobile devices, which the developer denies.

What do you make of this latest Ethereum malware? Add your thoughts below!



Images via Shutterstock, Twitter @sniko_