[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXBIoCP5eHLeRuFh3wfWq5wyXaSJ7cUr7OQaHDOEPXz4":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":20,"created_at":21,"published_at":22,"article":23,"tags":27,"podcasts":46},"267ed28d-3e31-4b29-943e-a02b16349b25","fake-browser-extension-steals-crypto-by-hijacking-clipboard","978dddb4-d8a4-44d6-9193-9d60a0158ed3","Fake Browser Extension Steals Crypto by Hijacking Clipboard","A malicious browser extension impersonating a legitimate Google product silently replaced cryptocurrency wallet addresses copied to the clipboard, redirecting funds to attacker-controlled wallets. The attack succeeded because users installed an unverified, unsigned extension from outside the official browser web store, granting it excessive permissions without scrutiny. This matters because clipper malware operates silently — victims only discover the theft after a transaction is irreversibly confirmed on the blockchain. It also highlights how supply chain impersonation (spoofing a trusted brand like Google) dramatically lowers user suspicion and raises the success rate of social engineering attacks.","**Immediate actions:**\n- Audit all installed browser extensions and immediately remove any that are unverified, unsigned, or sourced outside the official Chrome Web Store or equivalent.\n- Review and revoke excessive permissions (clipboard access, browsing history) for any extension that does not have a clear, justified need for them.\n\n**Long-term improvements:**\n- Enforce organizational policy (via MDM or Group Policy) to allow only allowlisted, enterprise-approved browser extensions.\n- Train users to verify extension publishers, check permission requests critically, and never install software from unofficial sources or unsolicited prompts.\n- Implement a software supply chain vetting process that validates the authenticity and signing status of any browser add-on before deployment.\n\n**Detection measures:**\n- Deploy endpoint security tools capable of detecting clipboard-hijacking behavior and alerting on suspicious extension activity.\n- Always verify a cryptocurrency wallet address through a secondary, out-of-band channel (e.g., re-typing or QR code scan) before confirming any transaction.",[12,13,14,15,16,17,18,19],"CIS Control 2: Inventory and Control of Software Assets","CIS Control 4: Secure Configuration of Enterprise Assets and Software","CIS Control 14: Security Awareness and Skills Training","NIST SP 800-53 CM-7: Least Functionality","NIST SP 800-53 SA-12: Supply Chain Protection","NIST SP 800-53 SI-3: Malicious Code Protection","NIST Cybersecurity Framework DE.CM-4: Malicious Code Detection","GDPR Article 32: Security of Processing (where personal\u002Ffinancial data is at risk)","published","2026-07-01T18:20:39.657459+00:00","2026-07-01T18:20:39.568+00:00",{"id":7,"url":24,"slug":25,"title":26},"https:\u002F\u002Fhackread.com\u002Ffake-google-notes-browser-extension-swap-crypto-wallets\u002F","fake-google-notes-browser-extension-caught-swapping-crypto-wallet-addresses-089b94","Fake “Google Notes” Browser Extension Caught Swapping Crypto Wallet Addresses",[28,34,40],{"id":29,"name":30,"slug":31,"description":32,"color":33},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":35,"name":36,"slug":37,"description":38,"color":39},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308",{"id":41,"name":42,"slug":43,"description":44,"color":45},"f0c2a0af-58aa-4128-87c9-6acd30f2dc48","Supply Chain","supply-chain","Third-party risk, compromised dependencies","#8b5cf6",[]]