Topic: Fake Google Sheets Extension - Scammed | Last Update! - page 3. (Read 617 times)

Nope, it's not the well-known clipboard virus. It actually displayed the scammer's addresses instead of the actual ones. Binance's support agent was genuinely frustrated at first. This is before deleting the extension.



And this is after deleting it, displaying the address support indicated as theirs.

After this post, I immediately checked all my extensions and checked if there are extensions that are on it that I don't remember putting in my browser, everybody should know this, and riskier because they cannot be traced by anti-virus, if you haven't done an extensive review of your extensions you will not know this, because all this time we trust everything that comes from Google, I wonder is it really coming from Google, I'm sure its not.

Was this virus one of those clipboard viruses that changes the address you copy to the scammer's one? Or is this a new kind where you don't even see the real address on binance, only the scammer's ?

If it's the latter, holyshit how can someone actually protects himself from it? Since running an antivirus scan doesn't reveal anything.

My best guess is because it's not an actual functioning extension. A quick look at its main manifest.json file shows you what details it can present. If you click on any other extension, it opens up the extension or its settings (Metamask wallet opens wallet, Grammary opens up preferences etc.), the fake Google Sheets one didn't have an actual menu, thus, it doesn't have anything to open and appears grayed out.

Thank you for the warning OP. I would've never suspected the Google sheet extension to be the malware responsible for changing addresses.
btw, if an extension is grayed out doesn't that mean it's been disabled by the navigator?
This malware seems more dangerous even than the clipboard hijacker malware because it changes the actual address from source and therefore there is no way you would suspect it's been changed.

I would wipe out my computer's hard drive and reinstall the OS if I were you, though!

Damn! So my initial suspicion was correct. Yes, I think you were very lucky considering how small the amount was. For this reason, it is always a good idea to proceed each serious transaction with a smaller one to ensure that the funds will reach the intended destination.

Good detective work, by the way. It is too bad you could not figure out where you downloaded the extension to your browser. Who knows, there may even be different extensions infected with malware. Does anyone know why the extension name was greyed out?

This thread is a follow-up of the previous thread I created, regarding a lost XRP deposit. For those who haven't read it and have limited time, I'll summarize.

(https://bitcointalksearch.org/topic/ripple-deposit-never-received-5408926)

I tried depositing XRP from Kraken to Binance, my deposit was never credited to my account and got me frustrated, thinking I've done something wrong. After several users suggested, I contacted Binance, and they told me that this wasn't their XRP address and recommended me to install Binance's app on my phone. To my surprise, the address I had on my phone was different from the one in my computer. Same thing occurred if I tried depositing other coins, such as BTC or ETH. I was baffled, the support agent mentioned that it's probably a malware on my computer.

I started with antivirus scans using Windows Defender and Malwarebytes, however, both showed no results. A few users suggested that it could be an extension on Chrome, decided to check, but nothing looked suspicious at first.

Google Sheets, Zen Mate, Ublock, Grammarly etc… Nothing suspicious, right? Except the fact that I don't recall installing the Google Sheets extension, but didn't think much of it, since I use Google services a lot (Drive, Docs, Excel), but noticed that for some strange reason, the name was grayed out, but the other extensions weren't.

I deleted the extension and Binance is now showing the proper address. Upon further investigation and opening its source file, it has a Javascript code that switches coin addresses with the scammer's address. On top of that, whenever I searched the scammer's XRP or BTC address, the tab would crash.





The issue is that I don't recall installing something like this on my own, unless it popped up and accepted its installation without realizing it. The extension's folder was created on 23/07/2022, it's relatively new and can't remember if I downloaded any pirate software or what else.

This time I was extremely lucky, because a few days ago I was actually planning on moving my funds from Binance in an attempt to find a better APY. Chances are, that I would have lost my money.