Hello and welcome to the Thursday, May 22nd, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and in this episode brought to you by
the SANS.edu Graduate Certificate Program in
Cybersecurity Engineering. I am recording in Jacksonville,
Florida. Remember a few weeks ago we had these scammers that
actually left comments on the Internet Storm Center YouTube
channel that listed their private passphrase for their
crypto coin wallets. And well, we looked into this and the
reason they did this was not to give you the money. Kind of
that would have been too easy and not much of a scam. But
instead, the way these crypto wallets were set up, they
needed a second passphrase in order to actually work and for
you to be able to deduct money from them. So they tried to
trick you into actually sending the money for the
transaction fee ahead of realizing that you can't
actually get to the money. Well, it looks like we have a
little bit of evolution of this scam happening now. I've
observed it on X where via direct message, someone
approached me and told me that, hey, you actually got
some money from me coming here. And then they gave me
the username and password to actually log into their
account. And these credentials work on this very specific
website. The problem, of course, with this is that,
well, it's not so easy to actually get to the money from
that website. This website, I'm not familiar with it. I
doubt it's legit, but it doesn't really look all that
confidence building.
Once you're trying to actually then withdraw the money from
the account, you're prompted with, well, the next
challenge. That in order to actually withdraw the money,
you need to know a key password. And of course, you
don't have that key password, but there is a solution. All
you have to do is you have to set up a new account with that
website, and then you're able to transfer instead of
withdraw the money, which according to the help that's
being delivered here does not require the key. Okay, so I
set up an account. And what I got next was that I was still
not able to transfer the money without first signing up for a
VIP account, which, well, costs, of course, money. The
smallest account they have is $50. But with that, you can
only transfer $30 a month. So that doesn't really get you a
good return on investment, actually a negative return on
investment. You have to sort of get at least $1,000
invested here in order to get sort of to a positive return
of investment on the first month. Or if you want to
actually get your money back in a day, then you need to
invest $3,000. So that's the trick here. I assume that the
website is then just, well, grabbing the money, and you're
still not getting anything out of it. Maybe with the $50
account, you can actually get $10 back. So for a little bit
that building confidence, that's sort of what a lot of
time these confidence scams are about. Anyway, if anybody
has any more insight into this scam, let me know. But it
looks to me like they basically want you to trick
you into signing up for one of these VIP accounts, promising
that you would be able to steal that money. And, well,
then again, sort of playing on the victim's greed. Anyway, we
got a couple of stories related to fake extensions.
First one, Chrome extensions. Domain Tools wrote an article
summarizing some of the work they have done recently,
getting rid of some of these malicious Chrome extensions.
These extensions claim to be VPNs and crypto coin tools and
similar things. And at the surface at first, they look
like they actually function. The problem is that in
addition to providing some more or less valid
functionality, well, they're also going to steal all your
data. And remember that any Chrome extension that you
install typically has access to everything you are doing in
Chrome. So that way they can have access to session tokens,
usernames, passwords, anything you enter, anything you view
in your browser is typically available to these extensions.
Your best defense against this is that you probably should
just limit the number of extensions that you are using
in your browser, be it Chrome or another browser, of course,
with Chrome being the biggest one out there. In DataDoc,
Security Labs identified, well, again, malicious
extensions, but this time in Visual Studio Code. Of course,
if you're using Visual Studio Code as an editor for your
programming tasks, well, in that case, these extensions,
just like extensions in a browser, have access to
everything in a browser. These extensions have access to
everything you do in your code editor. And then, of course,
it can become a big problem. In this particular case, the
extension will then exfiltrate data from your system. It's
essentially an info stealer. And the extensions that
DataDoc, Security found, appear to be targeting crypto
coin developers based on the naming scheme and also based
on the data they're trying to exfiltrate. Just like with
browser extensions, be careful what you install and try to
minimize the number of extensions that you have
installed. Well, and that's it for today. Thanks for
listening and talk to you again tomorrow. Bye.
