Okta Disrupts Malicious ShieldGuard Chrome Extension

Okta, a cloud identity company, has announced that it has disrupted a malicious Chrome browser extension called ShieldGuard. The extension was designed to steal wallet addresses and account data from users of major crypto services, including Binance, Coinbase, MetaMask, Phantom, OpenSea, and Uniswap.

The extension used social engineering tactics to lure users into installing it, posing as a cryptocurrency security product that could detect suspicious transactions. However, upon installation, the extension requested broad browser permissions, including the ability to 'Read and change all your data on all websites.'

Okta's analysis found that the extension was heavily obfuscated, making it difficult to review and reverse engineer. The attackers built a custom JavaScript interpreter to bypass security restrictions in Chrome's Manifest V3 framework.