Firefox’s malicious ‘Safepal Wallet’ add-on stole cryptocurrency
A malicious Firefox add-on named “Safepal Wallet” scammed users by emptying their wallets and lived on Mozilla’s add-on store for seven months.
Safepal is a cryptocurrency wallet app capable of securely holding over 10,000 types of assets including Bitcoin, Ethereum, and Litecoin.
Although the malicious browser add-on was removed, BleepingComputer found that the phishing website set up by the threat actors was still operational.
$ 4,000 lost due to malicious Firefox add-on
“Today I walked [through] List of Mozilla Firefox add-ons, I was looking for the Safepal wallet extension to use my cryptocurrency wallet also in the web browser, âsays a Mozilla add-ons user named Cali.
Cali didn’t know what to expect. Within hours of installing and logging into the add-on with their real Safepal credentials, the user saw their wallet balance drop to $ 0.
“I was deeply in shock … I saw my last transactions and saw that [$4,000 of my funds] have been transferred to another wallet. I couldn’t believe it [was an] add-on that is deployed in the Mozilla Firefox add-ons list, ” keep on going user in the Mozilla Support Forum.
The add-on page for “Safepal Wallet”, seen by BleepingComputer, indicated that the add-on has been in place since at least February 16, 2021.
On the same page, the 235KB add-on presents itself as a Safepal application that âstores the private key securely locallyâ, along with compelling product images and marketing materials.
To publish an add-on on the Mozilla website, developers are required to follow a submission process that extensions submitted by states are “subject to review by Mozilla at any time.” But, it is not clear to what extent submissions are reviewed for their security.
Less than five days after Cali’s public report on the incident this month, a Mozilla spokesperson responded that they were investigating. The page has since been deleted by Mozilla.
Although Safepal has official smartphone apps available on both Apple AppStore and google play, we do not know that there are genuine ‘Safepal’ browser extensions.
Fortunately, on Mozilla’s add-on store, some users had posted one-star reviews warning others not to download âSafepal Walletâ:
But, for Cali, it seems a bit too late in the game, and the chances of them getting their funds back are slim.
“I have already spoken with the police, there is nothing they can do for me. They told me there was no way to find the hacker. The only solution I have left is maybe some of you can help me by finding out who the hacker was and how I can get my funds back “, States the user.
BleepingComputer has contacted Mozilla to inquire about the issue:
“Extension security is important to Mozilla, and our ecosystem is constantly responding to changing threats,” a Mozilla spokesperson told BleepingComputer.
âWe recently focused on limiting the damage malicious extensions can cause, by helping users discover Recommended extensions that we control and monitor, helping users understand the risks associated with installing extensions, and making it easier for users to report potentially malicious extensions to us. “
“When we become aware of add-ons that pose a risk to security and privacy according to our Complementary policies, we are taking steps to prevent them from running in Firefox. In this case, shortly after learning of potential abuse of this extension, we took steps to block it and remove it from the Firefox Add-ons store. “
“Users should be especially careful when installing software that may have access to private information or financial resources.”
The ‘Safepal’ phishing domain is still active, collecting recovery sentences
While investigating the malicious Firefox add-on, BleepingComputer came across the phishing domain used by the add-on. This web page, pictured below, was also listed as a “support site” link on the home page of the bogus add-on:
WHOIS records indicate that the phishing site was registered in January of this year via Namecheap. At the time of writing, the webpage is still live and asks the victim to enter their “12-word backup phrase in the correct order to pair your SafePal wallet”.
But once the recovery phrase is entered and the form submitted, the page simply refreshes without any noticeable response. The recovery phrase is silently sent to the attacker.
Cryptocurrency wallets, like many online services, use a backup phrase consisting of twelve randomly generated words that can be used to recover the user’s private key and wallet, if they forget their password. . But, the recovery phrase is a crucial secret intended to be used in exceptional circumstances and only on the trusted application or website of the service provider.
A stolen recovery phrase can give attackers control of your wallet as well as the ability to access and transfer funds.
In recent times, cryptocurrency scams have mushroomed, with threat actors finding innovative and hard-to-detect ways to trick users. Just last week, someone hacked into the official Bitcoin.org website and successfully scammed visitors for $ 17,000.
In attacks already seen, open source repositories, including npm, PyPI, and GitHub, have been abused to distribute both cryptovol and cryptomining malware.
With the growing presence of malicious actors on online platforms, users should be careful when providing their passphrases or transferring cryptocurrencies online.
Mozilla further recommends the following steps to assess the security of any browser extension:
- Ask yourself: is the extension from a brand or a developer that I trust? Does the brand’s or developer’s official website link to an extension?
- Check if the developer’s website, blog or social media activity is compatible with the functionality of the extension
- See how many other users have installed the extension. Does it have a good number of stars and positive reviews?
BleepingComputer has contacted Safepal for comment and we are awaiting its response. We also reported the phishing domain in question to Namecheap.
Update, September 28, 12:16 am: Added statement received from Mozilla after release.