Rilide Browser Extension Exploited by Hackers to Steal Cryptocurrency by Bypassing 2FA

A new malicious browser extension named Rilide has been uncovered by security researchers. The extension targets Chromium-based products such as Google Chrome, Brave, Opera, and Microsoft Edge. The malware is programmed to keep an eye on browsing activity, capture screenshots, and use scripts injected into web pages to steal cryptocurrency.

Once the Rilide extension is loaded into the browser, it disguises itself as a Google Drive extension. However, behind the scenes, it simultaneously monitors the active tabs for specific websites, which comprise popular cryptocurrency exchanges and email providers like Gmail and Yahoo.

Upon identifying a targeted website, the extension removes the Content Security Policy headers provided by the legitimate website and introduces its own malicious code for executing content manipulations.

This is significant as websites utilize CSP to inform browsers about which scripts to permit for execution on the site.

The Rilide extension injects various scripts into websites, some of which can take screenshots of the active tabs and alert a command-and-control server when a targeted website is open. Additionally, other scripts are designed to automatically withdraw assets while simultaneously displaying a phony dialog box that prompts the user to input their two-factor authentication code.

After the actions are executed, automated emails containing codes are sent by many websites to the user to verify the transaction. The Rilide extension can modify these emails in Gmail, Hotmail or Yahoo web interfaces with emails that seem to have been sent to authorize a new device to access the account, which is also a process that employs the same 2FA workflow.

When accessing their accounts, users may have previously been prompted to reauthorize their browsers by inputting 2FA codes received via email. This is a common security measure triggered by expiring authenticated sessions and periodically resetting saved 2FA statuses.

This technique was used to steal assets from cryptocurrency exchanges, but it can be adapted for other websites that use email-based multi-factor authentication. Therefore, organizations should consider using more secure methods, such as mobile authenticator apps or physical USB-based authentication devices, when deploying 2FA even on third-party services.