Malicious Chrome Extension Uncovered
A dangerous Chrome extension named “lmΤoken Chromophore” has been found by Socket’s Threat Research Team. This extension is designed to steal cryptocurrency wallet credentials by masquerading as a harmless tool. In reality, it impersonates the well-known non-custodial wallet brand imToken, posing a significant threat to users.
Since its inception in 2016, imToken has served over 20 million users globally, making it an attractive target for cybercriminals. The official imToken team has clarified that their services are exclusively available as a mobile application, and they have never released a Chrome extension. Despite this, the malicious extension mimics the brand’s visual identity to deceive users into revealing their 12 or 24-word seed phrases or plaintext private keys, leading to immediate wallet compromise.
Phishing Techniques and Evasion Strategies
Once installed, the extension disregards its alleged color-visualizing function and instead operates as a redirector. It retrieves a target website from a hardcoded remote endpoint hosted on JSONKeeper, opening a new tab that connects to the attackers’ infrastructure. This allows the phishing destination to be altered without modifying the extension’s code in the Chrome Web Store.
The phishing attack initially directs victims to a misleading domain, chroomewedbstorre-detail-extension[.]com. To bypass security checks, attackers use mixed-script Unicode homoglyphs, replacing standard Latin letters with similar-looking Cyrillic and Greek characters. Victims are then presented with a fake wallet import interface powered by external JavaScript files, prompting them to enter sensitive information.
Deceptive Workflow and Aftermath
After capturing the victims’ data, the attackers maintain the illusion of legitimacy by prompting users to set a local password and showing a fake “upgrading” screen. Ultimately, victims are redirected to the genuine token.im website, reducing suspicion while the attackers secretly drain accounts.
Security teams must apply stringent scrutiny to browser extensions, akin to traditional software assessments. Organizations are advised to limit extension installations in sensitive environments. Users should verify all wallet software through official channels and treat any compromised wallet as unsecured, moving funds to new, secure keys immediately.
Indicators of Compromise and Recommendations
Security tools should monitor for extensions that fetch remote content and open external destinations. Analysts should incorporate the following Indicators of Compromise (IOCs) to prevent this threat:
- Malicious Extension ID: bbhaganppipihlhjgaaeeeefbaoihcgi
- Publisher Email: liomassi19855@gmail[.]com
- Phishing Landing Page: chroomewedbstorre-detail-extension[.]com
- Configuration Payload: jsonkeeper[.]com/b/KUWNE
- Script Infrastructure: compute-fonts-appconnect.pages[.]dev
Stay updated on cybersecurity insights by following us on Google News, LinkedIn, and X. Contact us to feature your stories.
