Hacker Breaches Hola VPN Chrome Extension to Go After Cryptocurrency Wallet Site

A hacker has breached a Hola VPN developer account and has replaced the official Chrome extension with one that redirected users of the MyEtherWallet.com website to a phishing page controlled by the attacker.

The compromise took place yesterday and only lasted for five hours the MyEtherWallet (MEW) team said in a tweet. The Hola VPN team admitted to the hack.

"The attack was programmed to inject a JavaScript tag in to the MEW site to 'phish' information about MEW accounts that are logging in without being in 'incognito mode', by re-directing the MEW users to the hacker's website," the Hola VPN team said.

Original Hola VPN Chrome extension restored

"We notified MEW, notified Google, and ensured that the hacker's web site was down," Hola developers said.

The Hola VPN Chrome extension has now been restored to its clean version, which is yet again available via the Chrome Web Store.

The Hola team didn't say how the hacker gained access to its Chrome Web Store developer account, but Chrome extension developers have been under a barrage of phishing attacks since last year.

Not that many MEW users affected

The MEW team is advising users of this Chrome extension to move cryptocurrency funds to a new MEW account, just to be safe.

Urgent! If you have Hola chrome extension installed and used MEW within the last 24 hrs, please transfer your funds immediately to a brand new account!

— MyEtherWallet.com (@myetherwallet) July 10, 2018

Not all MEW users were affected.

Chrome extensions update in the background, as a new version is pushed out. Only users who received the malicious Hola VPN Chrome extension update and who navigated to the MyEtherWallet.com website yesterday, July 9, are in danger.

Bleeping Computer has reached out to the Hola and MEW teams for the precise interval during which the malicious extension was on the Chrome Web Store, and during which users were vulnerable to being redirected to the MEW phishing site. But, out of an abundance of caution, all users who used the Hola VPN extension yesterday should move funds to new MEW accounts.

All in all, this was a highly complex hack, but this is not the first time the MyEtherWallet service has faced such an incident. In April this year, someone hijacked one of Amazon's most important BGP routes so it could hijack DNS entries for the MyEtherWallet website and, again, redirect users to a phishing site. Hackers made over $160,000 from that attack. For the time being, it is unclear if this second group of hackers managed to steal any funds from users wallets with their Chrome extension shenanigans.