Rilide Browser Extension Exploited by Hackers to Steal Cryptocurrency by Bypassing 2FA
- Written by Ari Denial Cybersecurity & Tech Writer
A new malicious browser extension named Rilide has been uncovered by security researchers. The extension targets Chromium-based products such as Google Chrome, Brave, Opera, and Microsoft Edge. The malware is programmed to keep an eye on browsing activity, capture screenshots, and use scripts injected into web pages to steal cryptocurrency.
Once the Rilide extension is loaded into the browser, it disguises itself as a Google Drive extension. However, behind the scenes, it simultaneously monitors the active tabs for specific websites, which comprise popular cryptocurrency exchanges and email providers like Gmail and Yahoo.
Upon identifying a targeted website, the extension removes the Content Security Policy headers provided by the legitimate website and introduces its own malicious code for executing content manipulations.
This is significant as websites utilize CSP to inform browsers about which scripts to permit for execution on the site.
The Rilide extension injects various scripts into websites, some of which can take screenshots of the active tabs and alert a command-and-control server when a targeted website is open. Additionally, other scripts are designed to automatically withdraw assets while simultaneously displaying a phony dialog box that prompts the user to input their two-factor authentication code.
After the actions are executed, automated emails containing codes are sent by many websites to the user to verify the transaction. The Rilide extension can modify these emails in Gmail, Hotmail or Yahoo web interfaces with emails that seem to have been sent to authorize a new device to access the account, which is also a process that employs the same 2FA workflow.
When accessing their accounts, users may have previously been prompted to reauthorize their browsers by inputting 2FA codes received via email. This is a common security measure triggered by expiring authenticated sessions and periodically resetting saved 2FA statuses.
This technique was used to steal assets from cryptocurrency exchanges, but it can be adapted for other websites that use email-based multi-factor authentication. Therefore, organizations should consider using more secure methods, such as mobile authenticator apps or physical USB-based authentication devices, when deploying 2FA even on third-party services.
UK Criminal Records Office Attributes Portal Issues to Cyber Incident
- Written by Ari Denial Cybersecurity & Tech Writer
After weeks of delaying their statement, the UK’s Criminal Records Office (ACRO) has confirmed that the online portal issues that started on January were caused by a “cyber security incident.”
ACRO has been investigating a cyber security incident that forced it to temporarily shut down its customer portal.
ACRO manages criminal record information and shares it with other countries through an information sharing agreement with the Cabinet Office. The data is used for background checks on potential hires by employers and visa processing by embassies.
When providing data for a background check, it’s standard practice to include various pieces of information. This includes name and address history, which typically spans a decade, as well as extended family details, in case any familial connections could potentially impact the individual’s criminal history.
The person’s new foreign address, if applicable, is also included, as well as information on any legal representation they may have had. Additionally, passport information, a photograph, data regarding PIN cautions, reprimands, arrests, and charges or convictions are typically required.
ACRO has informed users that their personal data may have been affected by a cyber security incident that led to the temporary shutdown of its customer portal.
They have confirmed that personal data of users who used its services as a direct applicant, a nominated endorser or a professional administering an application for an applicant may have been affected by a recent cyber security incident. The agency has stated that payment information and dispatched certificates were not at risk.
The compromised personal data could include identification information and criminal conviction data of the applicants, as well as the names, relationship, occupation, phone numbers, email addresses, and case reference numbers of any nominated endorsers or third-party professionals.
ACRO has acknowledged that the manual processing of applications and website issues have resulted in a backlog. However, it stated that it is increasing resources and working to address the issue as quickly as possible.
