CTC’s May 2018 Threat Report

Almost $20,000. That’s how much a single bitcoin was worth at the currency’s peak valuation on December 17, 2017. You probably heard about it, since many news organizations trumpeted the rise of the cryptocurrency.

The bottom fell out not too long after that. By the following February, that single bitcoin was worth $6,200. Even with that drop, bitcoin was now on many people’s radar. Enough so that some of them are willing to break the law in an attempt to cash in.

And that’s where our May 2018 threat report begins.

Chrome Extensions Used to Infect Users

Seven Google Chrome extensions installed cryptocurrency miners and software that stole users’ credentials for Facebook and Instagram. Bitcoin wasn’t the goal, though. Instead, the digital currencies sought were monero, bytecoin, and electroneum.

The infection process began with a fake YouTube page that prompted users to install an extension. Users who did so inadvertently made their computers part of a botnet. The botnet not only stole their information and installed the cryptocurrency miners. It also leveraged the stolen information to send nefarious links to the victim’s friends.

Google has addressed the malicious extensions, but not before they infected more than 100,000 systems in 100 countries. And the data collected from those successful intrusions remains in possession of the criminals responsible for them.

Over a six-day period, “the attackers appeared to generate approximately $1,000 in cryptocurrencies, mostly Monero,” according to one account of the attack. Since it’s thought that this effort was active at least since March, that rate suggests a potential cryptocurrency haul of approximately $10,000.

What can corporate environments do following this news?

  1. Chrome Enterprise Administrators can whitelist extensions. It’s a process that might short circuit users’ attempts to install an extension that replaces all pictures on a web page with gifs of cartoon character Nigel Thornberry. (That is the sole purpose of one of the compromised extensions, called Nigelify.)
  2. A publicized and enforced internet usage policy prohibiting the installation of unapproved extensions may help, as well. Since the success of this attack makes future attacks more likely, reviewing Chrome extension practices and policies can only be a positive step.

Cryptojacking by Way of Ads

Compromising a system with the intent to mine for cryptocurrency is called “cryptojacking.” You may already be familiar with the term. It’s a safe bet many people you know will be familiar with it, too.


“Browser-based cryptojacking is growing fast. Last November, Adguard reported a 31 percent growth rate for in-browser cryptojacking. Its research found 33,000 websites running crypto mining scripts. Adguard estimated that those site had a billion combined monthly visitors.”

One way criminals take over systems is by “malvertising.” When engaging in malvertising, hackers take advantage of legitimate advertising networks that do a poor job of identifying and rejecting harmful ads. These seemingly safe, paid-for ads — that are loaded with malware — then propagate throughout popular websites via ad syndication. Some such attacks can infect vulnerable systems that merely display the harmful ad, without any interaction at all from the user.

Infected Chrome extensions and cryptojacking that can happen without any action on the part of a computer user indicate an internet frontier where anti-virus software alone isn’t enough. Organizations today need a multi-pronged approach to protect valuable data and IP assets.

Stay Aware, Stay Safe

As the saying goes, “An ounce of prevention is worth a pound of cure.” Follow us on Twitter or Facebook for monthly security updates. We’re always hard at work to get that ounce of prevention to you.

CTC Technologies helps businesses and enterprise organizations with their cybersecurity needs, ranging from network security assessments to implementation of endpoint protection solutions, firewalls, and data loss protection. Reach out to us today at 734-408-0200 to speak to one of our cybersecurity specialists today.