"Rilide Browser Extension Steals MFA Codes"

Cryptocurrency thieves are targeting users of Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Opera, with an extension that can steal credentials and multi-factor authentication (MFA) codes. The extension, dubbed Rilide by Trustwave researchers, mimics the legitimate Google Drive extension while, in the background, disabling the Content Security Policy (CSP), collecting system information, exfiltrating browsing history, capturing snapshots, and injecting malicious scripts. It allows attackers to compromise Outlook, Yahoo, and Google email accounts by serving forged email confirmations. It also enables the compromise of cryptocurrency-related accounts such as Kraken, Bitget, and Coinbase by serving forged MFA requests. The malicious extension has been observed being distributed via two campaigns involving malicious Google advertisements, macro-enabled documents, the Aurora stealer, and the Ekipa Remote Access Trojan (RAT). This article continues to discuss findings regarding the malicious Rilide browser extension.

Help Net Security reports "Rilide Browser Extension Steals MFA Codes"