Characterizing Cryptocurrency-themed Malicious Browser Extensions

Kailong Wang; Yuxi Ling; Yanjun Zhang; Zhou Yu; Haoyu Wang; Guangdong Bai; Beng Chin Ooi; Jin Song Dong

doi:10.1145/3606376.3593529

Characterizing Cryptocurrency-themed Malicious Browser Extensions

Kailong Wang (Co-first Author), Yuxi Ling (Co-first Author), Yanjun Zhang, Zhou Yu, Haoyu Wang^*, Guangdong Bai^*, Beng Chin Ooi, Jin Song Dong

^*Corresponding author for this work

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

1 Citation (Scopus)

Abstract

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency-themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer. © 2023 Owner/Author.

Original language	English
Pages (from-to)	91-92
Number of pages	2
Journal	Performance Evaluation Review
Volume	51
Issue number	1
Online published	27 Jun 2023
DOIs	https://doi.org/10.1145/3606376.3593529
Publication status	Published - Jun 2023
Externally published	Yes

Bibliographical note

This has also been published in: Wang, K., Ling, Y., Zhang, Y., Yu, Z., Wang, H., Bai, G., Ooi, B. C., & Dong, J. S. (2023). Characterizing Cryptocurrency-Themed Malicious Browser Extensions. In SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (pp. 91-92). (SIGMETRICS - Abstract Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems). Association for Computing Machinery. https://doi.org/10.1145/3578338.3593529

Research Keywords

browser extension
cryptocurrency
malware detection

Access Output

10.1145/3606376.3593529

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{883ace03be4d4c12bbdbaab2300eb798,

title = "Characterizing Cryptocurrency-themed Malicious Browser Extensions",

abstract = "Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency-themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer. {\textcopyright} 2023 Owner/Author.",

keywords = "browser extension, cryptocurrency, malware detection",

author = "Kailong Wang and Yuxi Ling and Yanjun Zhang and Zhou Yu and Haoyu Wang and Guangdong Bai and Ooi, {Beng Chin} and Dong, {Jin Song}",

note = "This has also been published in: Wang, K., Ling, Y., Zhang, Y., Yu, Z., Wang, H., Bai, G., Ooi, B. C., & Dong, J. S. (2023). Characterizing Cryptocurrency-Themed Malicious Browser Extensions. In SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (pp. 91-92). (SIGMETRICS - Abstract Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems). Association for Computing Machinery. https://doi.org/10.1145/3578338.3593529",

year = "2023",

month = jun,

doi = "10.1145/3606376.3593529",

language = "English",

volume = "51",

pages = "91--92",

journal = "Performance Evaluation Review",

issn = "0163-5999",

publisher = "Association for Computing Machinery",

number = "1",

}

TY - JOUR

T1 - Characterizing Cryptocurrency-themed Malicious Browser Extensions

AU - Wang, Kailong

AU - Ling, Yuxi

AU - Zhang, Yanjun

AU - Yu, Zhou

AU - Wang, Haoyu

AU - Bai, Guangdong

AU - Ooi, Beng Chin

AU - Dong, Jin Song

N1 - This has also been published in: Wang, K., Ling, Y., Zhang, Y., Yu, Z., Wang, H., Bai, G., Ooi, B. C., & Dong, J. S. (2023). Characterizing Cryptocurrency-Themed Malicious Browser Extensions. In SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (pp. 91-92). (SIGMETRICS - Abstract Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems). Association for Computing Machinery. https://doi.org/10.1145/3578338.3593529

PY - 2023/6

Y1 - 2023/6

N2 - Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency-themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer. © 2023 Owner/Author.

AB - Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of cryptocurrency-themed malicious extensions that cause heavy financial losses to the users and legitimate service providers. They have shown their capability of evading the stringent vetting processes of the extension stores, highlighting a lack of understanding of this emerging type of malware in our community. In this work, we conduct the first systematic study to identify and characterize cryptocurrency-themed malicious extensions. We monitor seven official and third-party extension distribution venues for 18 months (December 2020 to June 2022) and have collected around 3600 unique cryptocurrency-themed extensions. Leveraging a hybrid analysis, we have identified 186 malicious extensions that belong to five categories. We then characterize those extensions from various perspectives including their distribution channels, life cycles, developers, illicit behaviors, and illegal gains. Our work unveils the status quo of the cryptocurrency-themed malicious extensions and reveals their disguises and programmatic features on which detection techniques can be based. Our work serves as a warning to extension users, and an appeal to extension store operators to enact dedicated countermeasures. To facilitate future research in this area, we release our dataset of the identified malicious extensions and open-source our analyzer. © 2023 Owner/Author.

KW - browser extension

KW - cryptocurrency

KW - malware detection

UR - http://www.scopus.com/inward/record.url?scp=85164273549&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85164273549&origin=recordpage

U2 - 10.1145/3606376.3593529

DO - 10.1145/3606376.3593529

M3 - RGC 21 - Publication in refereed journal

SN - 0163-5999

VL - 51

SP - 91

EP - 92

JO - Performance Evaluation Review

JF - Performance Evaluation Review

IS - 1

ER -

Characterizing Cryptocurrency-themed Malicious Browser Extensions

Abstract

Bibliographical note

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this