SANS Stormcast Thursday, May 22nd 2025: Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9462.mp3

previous

Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, May 22nd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and in this episode brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. I am recording in Jacksonville,
 Florida. Remember a few weeks ago we had these scammers that
 actually left comments on the Internet Storm Center YouTube
 channel that listed their private passphrase for their
 crypto coin wallets. And well, we looked into this and the
 reason they did this was not to give you the money. Kind of
 that would have been too easy and not much of a scam. But
 instead, the way these crypto wallets were set up, they
 needed a second passphrase in order to actually work and for
 you to be able to deduct money from them. So they tried to
 trick you into actually sending the money for the
 transaction fee ahead of realizing that you can't
 actually get to the money. Well, it looks like we have a
 little bit of evolution of this scam happening now. I've
 observed it on X where via direct message, someone
 approached me and told me that, hey, you actually got
 some money from me coming here. And then they gave me
 the username and password to actually log into their
 account. And these credentials work on this very specific
 website. The problem, of course, with this is that,
 well, it's not so easy to actually get to the money from
 that website. This website, I'm not familiar with it. I
 doubt it's legit, but it doesn't really look all that
 confidence building.
 Once you're trying to actually then withdraw the money from
 the account, you're prompted with, well, the next
 challenge. That in order to actually withdraw the money,
 you need to know a key password. And of course, you
 don't have that key password, but there is a solution. All
 you have to do is you have to set up a new account with that
 website, and then you're able to transfer instead of
 withdraw the money, which according to the help that's
 being delivered here does not require the key. Okay, so I
 set up an account. And what I got next was that I was still
 not able to transfer the money without first signing up for a
 VIP account, which, well, costs, of course, money. The
 smallest account they have is $50. But with that, you can
 only transfer $30 a month. So that doesn't really get you a
 good return on investment, actually a negative return on
 investment. You have to sort of get at least $1,000
 invested here in order to get sort of to a positive return
 of investment on the first month. Or if you want to
 actually get your money back in a day, then you need to
 invest $3,000. So that's the trick here. I assume that the
 website is then just, well, grabbing the money, and you're
 still not getting anything out of it. Maybe with the $50
 account, you can actually get $10 back. So for a little bit
 that building confidence, that's sort of what a lot of
 time these confidence scams are about. Anyway, if anybody
 has any more insight into this scam, let me know. But it
 looks to me like they basically want you to trick
 you into signing up for one of these VIP accounts, promising
 that you would be able to steal that money. And, well,
 then again, sort of playing on the victim's greed. Anyway, we
 got a couple of stories related to fake extensions.
 First one, Chrome extensions. Domain Tools wrote an article
 summarizing some of the work they have done recently,
 getting rid of some of these malicious Chrome extensions.
 These extensions claim to be VPNs and crypto coin tools and
 similar things. And at the surface at first, they look
 like they actually function. The problem is that in
 addition to providing some more or less valid
 functionality, well, they're also going to steal all your
 data. And remember that any Chrome extension that you
 install typically has access to everything you are doing in
 Chrome. So that way they can have access to session tokens,
 usernames, passwords, anything you enter, anything you view
 in your browser is typically available to these extensions.
 Your best defense against this is that you probably should
 just limit the number of extensions that you are using
 in your browser, be it Chrome or another browser, of course,
 with Chrome being the biggest one out there. In DataDoc,
 Security Labs identified, well, again, malicious
 extensions, but this time in Visual Studio Code. Of course,
 if you're using Visual Studio Code as an editor for your
 programming tasks, well, in that case, these extensions,
 just like extensions in a browser, have access to
 everything in a browser. These extensions have access to
 everything you do in your code editor. And then, of course,
 it can become a big problem. In this particular case, the
 extension will then exfiltrate data from your system. It's
 essentially an info stealer. And the extensions that
 DataDoc, Security found, appear to be targeting crypto
 coin developers based on the naming scheme and also based
 on the data they're trying to exfiltrate. Just like with
 browser extensions, be careful what you install and try to
 minimize the number of extensions that you have
 installed. Well, and that's it for today. Thanks for
 listening and talk to you again tomorrow. Bye.