500 Malicious Chrome Extensions Impact Millions of Users - Threatpost

500 Malicious Chrome Extensions Impact Millions of Users - Threatpost
Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Googles Chrome Web Store.

Browser extensions are used for customizing web browsers, modifying user interfaces, blocking ads and managing cookies. But researchers said that the malicious extensions they discovered are instead part of a massive malvertising campaign that also harvested browser data. Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages.

These extensions were commonly presented as offering advertising as a service, according to Jamila Kaya, an independentsecurity researcher, and Jacob Rickerd, with Duo Security, in a Thursday analysis . [Security researcher Jamila Kaya] discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.

Researchers believe that the actor behind this campaign was active since January 2019, with activity escalating between March and June. After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Googles Chrome Web Store, and the source code of the extensions are all nearly identical.

Once downloaded, the extensions would connect the browser clients to a command-and-control (C2) server and then exfiltrate private browsing data without the users knowledge, researchers said.

The extension would also redirect browsers to various domains with advertising streams. While a large portion of these ad streams were actually benign (leading to ads for Macys, Dell or Best Buy), these legitimate ad streams were coupled with malicious ad streams that redirected users to malware and phishing landing pages.

The campaign highlights various security issues that browser extensions can introduce, researchers said. In 2017, a malicious Google Chrome extension stole any data posted online by victims. In 2018, four malicious extensions were discovered in the official Google Chrome Web Store with a combined user count of more than 500,000. And, in January, the Google Chrome and Mozilla Firefox teams that stole user data and executed remote code, among other bad actions.

Browser extensions are the Wild Wild West of the internet, said Ameet Naik, security evangelist at PerimeterX, in an email. There are approximately 200,000 extensions available on the Chrome store alone. What most users dont realize is that extensions have full access to all of the data on a page including your email, banking information and credit card numbers. While many extensions provide value added services, theres little to stop them from collecting and abusing user data.

We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses, said a Google spokesperson in a statement. We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

The tech giant acknowledged some achievements in efforts to bolster mobile app security but recognized more needs to be done.

Misconfigured Docker registries could leak confidential data, lead to a full-scale compromise and interrupt the business operations.

The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks and their devices via brute force loops.
Read more on Threatpost
News Topics :
Similar Articles :
Googles new password checkup tool joins other similar services including Have I Been Pwned and Mozillas Firefox Monitor. Google will soon alert Chrome browser users of weak or compromised passwords....
Google has extended its Advanced Protection Program for account security to the iPhone platform, aimed at those that are the most targeted by cybercriminals Members of political campaign teams, journalists, activists,...
January Patch Tuesday tackles 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches. A major crypto spoofing bug impacting Windows 10 users has...
In a coffee shop scenario, attackers can hijack secure VPN sessions of those working remotely, injecting data into their TCP streams. A vulnerability in most Linux distros has been uncovered that...
Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account info dates back as far as...