SerHack - Developer and Security

SerHack

Developer - Security engineer

[email protected]

MEGA Chrome Extension Hacked - Detailed Timeline of Events

by SerHack


TLDR;

On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company. Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal login/register credentials from ANY websites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform. The trojanized Mega extension then sent all the stolen information back to an attacker's server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims' accounts, and also extract the cryptocurrency private keys to steal users' digital currencies.

Detailed Timelaps

14.30 UTC on 4th September 2018

An unknown attacked managed to log into the Chrome Extension Store profile, used by MEGA Team. A new MEGA Chrome extension version (3.39.4) has been uploaded.

16 UTC on 4th September 2018

A reddit user (/u/gattacus) noticed some unwanted changes to the latest version of Mega Chrome Extension. The Chrome browser originally asked for new permissions about reading all the content from a web page. He was looking for its source code and he discovered a probably cryptocurrency-keys logging. Then he posted this thread for having some confirmations from the community.

And I'll read it. I supposed "Whoa, another security issue" but I was looking for the source code too. IT happens! I discovered a keylogger which could log password, username and even sessions!

17.16 UTC on 4th September 2018

After the discovering of keylogging, I posted a warning on Twitter. The InfoSec Community and some security researches confirmed this issue.

17.23 UTC on 4th September 2018

The official Twitter account of Monero (XMR) posted a warning, advising XMR holders to steer clear of MEGA.

17.45 UTC on 4th September 2018

A security engineer, Jeremiah O'Connor, confirmed that infrastructure was related to AWS/MEW BGP attack.

18.09 UTC on 4th September 2018

Megaopac[.]host domain seems to have a login panel. Unfortunately, I did not any research about this.