谷歌瀏覽器被曝含惡意插件 會盜取用戶虛擬貨幣?
Researchers with cybersecurity firm Trend Micro have uncovered a malicious extension in Google's Chrome web browser that uses a multitude of methods to steal and mine cryptocurrency from infected users.
近日,網絡安全公司趨勢科技的研究人員在谷歌Chrome瀏覽器中發現了一個惡意擴展程序,它會使用多種方法從受感染的用戶那裏竊取和挖掘加密貨幣。The malware, which Trend Micro calls "FacexWorm", makes its way onto a victim's browser via social engineering tactics conducted through Facebook Messenger.
趨勢科技將該惡意軟件稱爲“FacexWorm”,它是通過Facebook Messenger進行的社交工程策略侵入受害者的瀏覽器。A target would receive a link leading to a fake YouTube page that would prompt the user to install an extension in order to play the video. Once the extension is installed, it's programmed to hijack users' Facebook accounts and spread the link throughout their friends list.
一個目標會收到一個鏈接,彈出一個虛假的YouTube頁面,提示用戶安裝擴展程序以播放視頻。一旦安裝了擴展程序,它就會被編程爲劫持用戶的Facebook賬號並將其鏈接傳播到他們的朋友列表中。
FacexWorm appears to be a Swiss Army knife of cryptocurrency-oriented malware. According to Trend Micro, the malicious extension has various capabilities:
FacexWorm似乎是面向加密貨幣惡意軟件的“瑞士軍刀”。據趨勢科技稱,惡意擴展具有各種功能:If an infected user tries logs into Google, MyMonero or Coinhive, FacexWorm will intercept the credentials.
如果受感染用戶嘗試登錄谷歌、MyMonero或Coinhive,FacexWorm將攔截憑證。When a victim tries to go to a specified set of cryptocurrency trading platforms, they get redirected to a scam site that requests a small amount of Ether, ostensibly for verification purposes.
當受害者試圖訪問一組指定的加密貨幣交易平臺時,他們會被重定向到一個要求少量Ether的騙局網站,表面上用於驗證目的。If FacexWorm detects that a user is on a cryptocurrency transaction page, the extension replaces the wallet address entered by the user with another one from the attacker.
如果FacexWorm檢測到用戶處於加密貨幣交易頁面,則擴展程序將用戶輸入的錢包地址替換爲攻擊者的另一個地址。Trend Micro says currencies targeted include bitcoin, Bitcoin Gold, Bitcoin Cash, Dash, Ethereum, Ethereum Classic, Ripple, Litecoin, Zcash and Monero.
趨勢科技表示,目標貨幣包括比特幣、比特幣黃金、比特幣現金、Dash、以太幣、Ethereum Classic、瑞波幣、萊特幣、Zcash和Monero。
Trying to go to certain websites will redirect a victim to a referral link that rewards the attacker.
試圖訪問某些網站會將受害者重定向到獎勵攻擊者的推薦鏈接。And, of course, FacexWorm has a cryptojacking component, using the victim's processor to mine for cryptocurrency.
當然,FacexWorm還有一個加密組件,使用受害者的處理器來挖掘加密貨幣。If an affected user appears to be trying to remove the malicious plugin, it has ways of stopping them, Trend Micro says. If a user tries opening Chrome's extension management page, the malware will simply close the tab.
趨勢科技稱,如果受影響的用戶似乎試圖刪除惡意插件,它還有方式進行阻止。如果用戶嘗試打開Chrome的擴展管理頁面,惡意軟件將簡單關閉該選項卡。FacexWorm reportedly first surfaced last year. But it appears to be adware-oriented in its first iteration and hasn't been very active until Trend Micro noticed it last month.
據報道,FacexWorm去年首次出現。但它在第一次迭代中似乎是面向廣告軟件的,並且在趨勢科技上個月發現它之前一直非常活躍。Trend Micro says it's only discovered one instance in which FacexWorm compromised a bitcoin transaction, according to the attacker's digital wallet address, but that that there's no way to tell for sure how much the attackers have actually profited.
根據攻擊者的數字錢包地址,只有FacexWorm發現了一個比特幣交易被入侵的例子,但是沒有辦法確定攻擊者實際獲利的多少。The attacker is persistently trying to upload more FacexWorm-infected extensions to the Chrome Web Store, the researchers say, but Google is proactively removing them.
研究人員說,攻擊者一直在試圖將更多受FacexWorm感染的擴展程序上傳到Chrome網上應用店,但Google正在主動將其刪除。Trend Micro says Facebook, with which it has a partnership, has automated measures that detect the bad links and block their spread.
趨勢科技稱Facebook與其建立了合作伙伴關係,已經採用自動化措施來檢測不良鏈接並阻止其傳播。
