Malicious Safepal Wallet Add-On Goes After Cryptocurrency
It Empties Users’ Crypto Wallets.
The crypto wallets have been lately a continuous target for hackers. Let’s remember the open-source repositories like PyPI and GitHub that were used to distribute malware related to crypto stealing and crypto mining malicious actions. Now a new Firefox option referred to as the Safepal Wallet add-on engaged in emptying users’ cryptocurrency wallets. It was discovered that the longevity of the add-on lasted seven months on the Mozilla store.
Safepal Wallet Add-on Makes User Lose $4,000: a Real Experience
On the Mozilla forum, there is a communication of a user who had a bad experience with this malicious Safepal Wallet add-on. There lies the story of Cali who had the wallet balance drop to $0 after installing the add-on to have access to the crypto wallet in the browser. The message was written on the 12th of September.
I was deep in shock I saw my last transactions and saw that my funds ($4000,-) were transferred to another wallet. I could not believe it an add-on that is deployed in the add-on list of Mozilla Firefox.
In the coming 5 days, the public announcement of the user was addressed by a Mozilla spokesperson who declared that they started an investigation. Following this, the Mozilla page was removed.
4 days ago, the affected user came with an update on the same forum saying that:
I already talked with the police they can do nothing for me. They told me that there is no way they can trace the hacker. The only solution is left for me is maybe some of you can help me out by figuring out who the hacker was and how I can get my funds back.
As we all know, Bitcoins cannot be traced, therefore it seems no hope for Cali to have the funds back.
To help other users, some people went to the Mozilla store and gave a 1-star rating to this Safepal Wallet add-on to make other persons who might download it aware of its questionable safety.
What Mozilla Said About It
Safepal stands basically for a crypto wallet where users can store crypto related-assets such as Bitcoin, Ethereum, and Litecoin. Following the events, the add-on was taken down, but according to BleepingComputer the phishing website linked to it seemed yesterday to be still functioning. When the publication contacted the Mozilla enterprise for a statement, a representative declared:
Extension security is important to Mozilla, and our ecosystem continually responds to changing threats. (..) Our recent focus has been on limiting the damage malicious extensions can do, helping users discover Recommended Extensions that we vet and monitor, helping users understand the risks that come with installing extensions, and making it easier for users to report potentially malicious extensions to us. When we become aware of add-ons that pose a risk to security and privacy according to our Add-on Policies, we take steps to prevent them from running in Firefox. In this instance, shortly after we became aware of potential abuse by this extension, we took action to block and remove it from the Firefox Add-on store. Users should be especially cautious about installing software that might have access to private information or financial resources.
About the Phishing Domain Linked to the Safepal Wallet Add-on
Further investigating the matter, the same publication mentioned above discovered that the phishing domain used by the Safepal Wallet add-on was still functional yesterday and as per WOIS records, it was registered through Namecheap in January.
The website was still running and giving instructions to users to type in their 12-words recovery phrases. After the form submission, a refresh of the page happens and the cybercriminal receives the entered phrase.
What is this recovery phrase? It’s a common practice when talking about crypto wallets, basically a backup phrase. It has 12 words that are generated randomly. So, if users forget their password when trying to login into their wallet, they can simply use this 12-words phrase to recover the wallet and private key. Of course, this method should be used only in exceptional cases, otherwise, in the hands of cybercriminals, it’s a path to wallet takeover and funds transfer.
Mitigation Measures for Browser Extension Safety
With all these happening, users should be more careful where they use their recovery phrase (only on trusted websites) and how they transfer crypto.
The general mitigation measures proposed by Mozilla in terms of browser extension safety are described below: