Pages:
Author

Topic: Fake Google Sheets Extension - Scammed | Last Update! - page 2. (Read 617 times)

hero member
Activity: 1680
Merit: 845
~snipped~
I'm really sorry for your loss. Your case sounds way more tricky and way harder to predict since, from what I understood, you were shown the correct address at first but the script switched it at the final stages. $200 is not a huge amount, but not a petty one either. As much as torrenting is useful for obtaining software you need, I've come to terms with the fact that it's a huge risk when having cryptocurrencies stored on your computer, and that it's not worth it. One idea is to keep cryptocurrencies and transactions away from your main computer.

I see that you're a newbie and put some decent effort into your post. I hope you stick around in the forum. There's a lot to learn. Thank you for spending your time to inform others regarding such a serious malicious script.
newbie
Activity: 1
Merit: 2
Hello

I just got scammed for 200 bucks by trying to withdraw from exchange 1 (binance) and deposit to exchange 2 (MEXC). This is NOT your regular clipboard hijacker, the JS script did the following for me:

  • When you copy deposit address from exchange 2 to withdrawal field in exchange 1, the address doesn't immediately change visibly, it gets swapped with scam address DURING confirmation, there's NO way to see it coming since it happens backend via script
  • If you try to deposit (instead of withdraw) on Binance, the address is VISIBLY changed to the scammer address. The deposit address on MEXC didn't change, it was legit
  • When pasting the deposit address of exchange 2 into the corresponding blockchain explorer, the result will be the scammers address. This can make you confused EVEN if you know what you are doing
  • When you search for the scammer address on blockchain explorer, it will crash the site


Now, I didn't figure out where this Google sheets thing came from because I pirate a lot but I did figure out how it got loaded.
I found this because I deleted the "Extension" folder which had all the malicious stuff in it and I kept getting a message saying "failed to load extension" whenever I would start Brave.
I searched on YT how to fix this, most videos recommended deleteing/renaming the BraveSoftware folder under "%Appdata%\Local\BraveSoftware".
After I did this, I still kept getting the error message so it didn't make sense anymore. This is when I found this:


If you right click on the Chrome (Brave in my case) shortcut, click properties, you will find this:

Code:
"C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"  --load-extension="C:\Users\x\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extension\jeelboaldqeqfqemlljamankmbnoefre\4.3.6._0"

Considering the malicious extensions stem from my Brave shortcut, I knew it was impossible that I downloaded any extensions and I am almost certain it stems from a torrent.
My download history of my browser etc couldn't be it because it was never an executable or a script. So all that's left is my torrent history:

https://ibb.co/z6YJzNX

Considering most of my downloads on this list are movies or series, we can safely assume they aren't the culprit. The torrent from Vegas Pro, C4D and V-Ray ALL share the same crack with same icons but different file sizes:

https://ibb.co/S7DV2jm

That's all I have for now, I am kinda done with this, I won't look into it any further. It hurts to think about this even thought the money isn't really a big loss, I'm just disappointed and guilty with myself and I want to forget this ASAP.
If anyone has downloaded anything from this list during july, be kind and reply so that others can avoid getting scammed like this as well.


EDIT: I forgot to add, I ran the crack exe's from those 3 torrents in sandboxie and it didn't show anything but I mean whats the point of that, if someone can engineer shit like this then he will have absolutely no problem to implement anti-sandbox features into his cracks.
hero member
Activity: 1680
Merit: 845
Unfortunately, I don't have the necessary time available to back everything up and reinstall my OS, it's certainly the best option here, but I don't have the time for it. I've proceeded and deleted any extension files I've found, and will also remove any pirated software I've downloaded in the past few months.

The fake extension folder was created in 01/07/2022, so it's been in my computer for a while, there's a chance that I had downloaded something and is now deleted, but I'll be on the lookout in case it appears again.
legendary
Activity: 1904
Merit: 1563
Wouldn't you like to wipe out your machine and start with a clean slate? Because a quick search suggests that you're not the only one having this kind of problem. There's even a redditor with a similar issue in the past1 and an article2 about this kind of adware.

The only problem in the article is that they suggest you use 3rd party applications to remove the malicious files which could be usually removed from wiping out your entire machine and install your OS. Plus, make a habit of minimizing your browser extensions and uninstall those that aren't needed including software programs.

[1] https://www.reddit.com/r/techsupport/comments/qp9fc7/removing_fake_sheets_extension_from_chrome_and/
[2] https://www.myantispyware.com/2020/10/21/how-to-remove-fake-google-docs-extension-virus-removal-guide/
hero member
Activity: 2786
Merit: 902
yesssir! 🫡
Hmmm. If I were you, I'd opt for a fresh OS installation since we don't know what slips thru AVs and our own eyes. Probably opt out on extensions in the sync settings as well, just to be extra sure.

You can try to compartmentalize if you're dabbling with potentially dangerous stuff like pirated softwares, keeping the data of malicious extensions, etc.
legendary
Activity: 1526
Merit: 1359
New update!

The extension auto reinstalled itself, honestly, I don't understand what's causing its installation, but certainly it's not me. I haven't deleted its files yet, because they could possibly come in handy for other users and its declaration as a malicious extension. Could it be possible that one of them includes a script to install it without your permission?

In the past, I have come across similar extensions, but they were never as malicious. They usually hijacked control of the internal search engine and opened some suspicious websites and pop-up windows. Even after removing and resetting all Chrome settings, they persistently returned to the browser.

I am not sure that such extensions can be reinstalled by themselves. It seems to me that there must be some kind of executable that instructs these annoying extensions to re-load themselves. There must be a process running quietly in the background on your system which is responsible. I recommend that you back up your data (such as passwords and bookmarks), completely remove the Google Chrome profile and user data folder, and perform a thorough adware and malware check of your system with Malwarebytes and an antivirus program. You can also manually check all programs and processes that start automatically after system startup to see if you notice anything suspicious.
hero member
Activity: 1680
Merit: 845
New update!

The extension auto reinstalled itself, honestly, I don't understand what's causing its installation, but certainly it's not me. I haven't deleted its files yet, because they could possibly come in handy for other users and its declaration as a malicious extension. Could it be possible that one of them includes a script to install it without your permission?





The scammer's BTC address (https://www.blockchain.com/btc/address/16Adp6PaLTDqejGo4W4Yy8kzixgQVwFoEx)


Real BTC deposit address



Edit: Went to the extension's folder and started opening up each file, all folders feature the same files and are exact copies of each other. I honestly don't understand what's going on.



Edit 2: Okay, here's what I also found, there are two folders named "Extension" and "Extensions", the first one consists of several other folders containing the same fake Google Sheets extension, while the latter, has all the legit ones along with a fake one as well.

hero member
Activity: 1680
Merit: 845
This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware...

The OP activated Premium protection only after he discovered the malware, and I guess it's logical that MB couldn't even protect him from the infection after it happened. Of course, the question arises as to how well programs like MB and various AVs are able to detect this kind of malware and prevent it from infecting the system.

I did a little research and found that Opera browser is the first to develop some kind of protection against clipboard malware and I can say that it works. After you copy the Bitcoin address, a pop-up appears with a message that the address has been copied and protected. Perhaps we can expect a similar feature on other browsers as well.

https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/
Malwarebytes Premium was present when the extension was installed, however, it did nothing to protect from it. My best guess is that it's a new type of thing going on. On the other hand, Opera might be less susceptible to such extensions, however, before it happened to me, I had only heard about the copy-pasting malware. Displaying a whole new address, though, is way out of the ordinary.
Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?
OP mentioned that Adobe Lightroom was downloaded several days after the extension was created. It's unlikely that software is the culprit. But I would try to retrace all my steps days before the extension was created. Maybe OP was visiting some new websites or giving them certain permissions that might have installed that extension on his PC. If he downloaded a pirated app, chances are OP has done so in the past as well.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out.
You are right about that. This Google support article confirms that:
Quote
Extensions that have not been published on the Chrome Web Store are grayed out and you won't be able to turn them back on.

However, the interesting part is that greyed out extensions should also be disabled because Google mentions that if you want to use a greyed out extension, you need to contact the developer and ask them to upload it in the Chrome Web Store. In OP's case, the extension was still working even when it was greyed out.
That's correct, Adobe Lightroom was downloaded after the extension's installation/creation. I can't recall if I had downloaded something else, and is now deleted. It's surprising that even though the extension was supposed to be disabled, it run perfectly fine.
legendary
Activity: 2730
Merit: 7065
Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?
OP mentioned that Adobe Lightroom was downloaded several days after the extension was created. It's unlikely that software is the culprit. But I would try to retrace all my steps days before the extension was created. Maybe OP was visiting some new websites or giving them certain permissions that might have installed that extension on his PC. If he downloaded a pirated app, chances are OP has done so in the past as well.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out.
You are right about that. This Google support article confirms that:
Quote
Extensions that have not been published on the Chrome Web Store are grayed out and you won't be able to turn them back on.

However, the interesting part is that greyed out extensions should also be disabled because Google mentions that if you want to use a greyed out extension, you need to contact the developer and ask them to upload it in the Chrome Web Store. In OP's case, the extension was still working even when it was greyed out.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware...

The OP activated Premium protection only after he discovered the malware, and I guess it's logical that MB couldn't even protect him from the infection after it happened. Of course, the question arises as to how well programs like MB and various AVs are able to detect this kind of malware and prevent it from infecting the system.

I did a little research and found that Opera browser is the first to develop some kind of protection against clipboard malware and I can say that it works. After you copy the Bitcoin address, a pop-up appears with a message that the address has been copied and protected. Perhaps we can expect a similar feature on other browsers as well.

https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/
legendary
Activity: 1526
Merit: 1359
Did you ever take a look at the extension setting page? If I'm not mistaken, on Chrome, you can see the Chrome Web Store page for every installed extension, maybe the fake extension information is listed over there. I tried to look it up but couldn't find any. If there is, the scam extension should be reported.

I do not think this extension came from the official Google Chrome Web Store, that is probably why it was greyed out. OP said he installed some pirated software lately. In my experience, this is a very common way to get infected with malicious software and browser extensions.

Do not install programs from unofficial sources. They can give you more than you bargained for.  Wink
legendary
Activity: 1932
Merit: 1273
Did you ever take a look at the extension setting page? If I'm not mistaken, on Chrome, you can see the Chrome Web Store page for every installed extension, maybe the fake extension information is listed over there. I tried to look it up but couldn't find any. If there is, the scam extension should be reported.

legendary
Activity: 2450
Merit: 1047

Coincidentally, I have Malwarebytes' premium trial for the past few days, and it didn't help.


This is very alarming and we all thought that Malwarebytes is good at combatting clipboard malware I have Kaspersky and Avira here and checking my extensions so far there is none in my extensions like what you've discovered if you are just a user and you just rely on anti-virus you have this then how can you trust these anti-viruses, we have been like this because these anti-viruses promised to take care care of everything all we have to do is just upgrade tot heir premium plan.
hero member
Activity: 1680
Merit: 845
To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I haven't found any information online about this malicious extension, so it's likely that it's relatively new. I found some similar extensions that have been used to steal user's data and they are mostly spread through illegally obtained programs (from a pirated source). Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?

Neither have I, it's frustrating. I could have never imagined that I'd have a malicious extension swapping coin addresses. I'll take a look through my downloads to see if I find anything suspicious.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.
You could start by switching from using Chrome to Firefox browser or even better Firefox fork called Librewolf browser.
Next step you could take is switching from wiNd0ws to Linux os like Fedora or Debian, so you won't need to install any antivirus software that is mostly just security theater.
I would avoid installing many extensions and I would be careful installing anything on my computer especially pirated software, but risk would be much lower with Linux.
I would, but Chrome is synchronizing everything through my Gmail account, something I find extremely convenient.

To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I can't claim that having Malwarebytes Premium would have helped in your case, but I've been using it for years in combination with a respectable antivirus package and I don't remember the last time I had problems with viruses/malware. It is possible that this malware can still get past any protections, but it is possible that some premium protection would warn you about this problem and put that file in quarantine.

To begin with, try to change your browser, and then do not download any pirated content - because there is really no need for that, given that very cheap licenses for the most popular software can be found on the Digital goods board of our forum.
Coincidentally, I have Malwarebytes' premium trial for the past few days, and it didn't help.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I can't claim that having Malwarebytes Premium would have helped in your case, but I've been using it for years in combination with a respectable antivirus package and I don't remember the last time I had problems with viruses/malware. It is possible that this malware can still get past any protections, but it is possible that some premium protection would warn you about this problem and put that file in quarantine.

To begin with, try to change your browser, and then do not download any pirated content - because there is really no need for that, given that very cheap licenses for the most popular software can be found on the Digital goods board of our forum.
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.

I haven't found any information online about this malicious extension, so it's likely that it's relatively new. I found some similar extensions that have been used to steal user's data and they are mostly spread through illegally obtained programs (from a pirated source). Maybe if you analyze the Adobe Lightroom package, or some other program you recently downloaded, you can find the source?
legendary
Activity: 2212
Merit: 7064
On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.
You could start by switching from using Chrome to Firefox browser or even better Firefox fork called Librewolf browser.
Next step you could take is switching from wiNd0ws to Linux os like Fedora or Debian, so you won't need to install any antivirus software that is mostly just security theater.
I would avoid installing many extensions and I would be careful installing anything on my computer especially pirated software, but risk would be much lower with Linux.
hero member
Activity: 1680
Merit: 845
From what you wrote, it seems that you use certain security solutions, the only question is, do you have proactive protection when it comes to Malwarebytes and do you use any other AV besides Windows defender? There is no doubt that this malware somehow found a way to get into your computer, the only question is how?

I always rely on premium security software with an always updated OS and I don't download any suspicious files, but sometimes it seems that even that is not enough to protect against infection. From your example, maybe we can learn that we should check the extensions we have in the browser as often as possible, and that maybe we should avoid Chrome and use some other browsers like Firefox, which is much better when it comes to privacy anyway.
To be brutally honest, I haven't bothered with my computer's security too much. I simply installed Malwarebytes and never fiddled with it again. The issue is that I can't recall how I possibly installed such an extension. I recently downloaded Adobe Lightroom from a pirated source, but that was a few days after the extension was created, thus, it's not associated.

On top of that, since it's not an actual virus, it's not detected by any antiviruses, nor VirusTotal. I don't know what other measures I could possibly take to make such a threat public.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
From what you wrote, it seems that you use certain security solutions, the only question is, do you have proactive protection when it comes to Malwarebytes and do you use any other AV besides Windows defender? There is no doubt that this malware somehow found a way to get into your computer, the only question is how?

I always rely on premium security software with an always updated OS and I don't download any suspicious files, but sometimes it seems that even that is not enough to protect against infection. From your example, maybe we can learn that we should check the extensions we have in the browser as often as possible, and that maybe we should avoid Chrome and use some other browsers like Firefox, which is much better when it comes to privacy anyway.
legendary
Activity: 3416
Merit: 1225
Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.
Nope, it's not the well-known clipboard virus. It actually displayed the scammer's addresses instead of the actual ones. Binance's support agent was genuinely frustrated at first.

You have the whole community thanking you for not giving up and taking the time and effort to check your machine, if this was not caught by your anti-virus then everybody here is at risk if they are not checking the address, this is another scheme by hackers to steal coins, awareness is the key when transacting, you have to not only double check but triple check on addresses, we never know if we have this, even if we have these popular antiviruses.
Pages:
Jump to: