Rilide browser extension steals MFA codes

2023-04-07 11:13

Cryptocurrency thieves are targeting users of Chromium-based browsers - Google Chrome, Microsoft Edge, Brave Browser, and Opera - with an extension that steals credentials and can grab multi-factor authentication codes.

Dubbed Rilide by Trustwave researchers, the extension mimics the legitimate Google Drive extension while, in the background, it disables the Content Security Policy, collects system information, exfiltrates browsing history, takes screenshots, and injects malicious scripts.

It aims to allow attackers to compromise email accounts by serving forged email confirmations, and crypto-related accounts by serving forged MFA requests.

"Rilide's crypto exchange scripts support automatic withdrawal function. While the withdrawal request is made in the background, the user is presented with forged device authentication dialog in order to obtain 2FA," security researchers Pawel Knapczyk and Wojciech Cieslak explained.

"Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser. The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code."

"Any association between the threat actors behind Ekipa RAT and those using the Rilide infostealer remains unclear. However, it is probable that Ekipa RAT was tested as a means of distribution for Rilide, before finally switching to Aurora stealer," they noted.

News URL

https://www.helpnetsecurity.com/2023/04/07/extension-steals-mfa-codes/

#browser #MFA