New research from cyber security company Trustwave SpiderLab has shown that cybercriminals now have a new Chromium-based browser extension used to bypass two-factor authentication and exploit crypto users. Cyber hackers use the extension, Rilide, to monitor users’ web activities, take screenshots, and inject scripts enabling them to hack users.
Although Trustwave did not find the origin of Rilide, the cybersecurity firm disclosed that it uncovered the software after black hat hackers leaked part of its code due to a feud between black hat hackers over unresolved payments in a private group.
The malicious two-factor authentication sidestepper is the first of its kind reported. Hackers in the past have used several techniques, like using flash loans to borrow from exchanges and using a bug to mint unlimited tokens in the network. The new Rilide software highlights the height of tech sophistication hackers can employ to perpetuate cyber crimes.
Rilide Bypasses 2FA
Rilide overrides two-factor verification by creating a false interface that tricks victims into inputting their one-time password in the software. Once this is achieved, the extension gains access to the user’s wallet and siphons cash to the hacker.
The malware models the authentication box to counterfeit any exchange’s email verification interface, thus making it hard to decipher for victims. Rilide processes the transaction automatically after receiving the authentication code.
Software Matches User Web Content with C2
Once installed, the Rilide works in a unique way that makes hacking easy for the exploiter. It attaches a monitor that keeps tabs on the victim’s web windows and content, consistently comparing it with the command and control (C2) server to see if it matches a list of its target information.
Once the list of activities matches the intended information needed, Rilide will inject an additional script to steal relevant user credentials and exploit the user. The extension can also feed on the victim’s web history and take screenshots
