A new spyware campaign has been discovered which used malicious Google Chrome extensions downloaded to steal user data and credentials online.
The majority of the free extensions in question, which has been downloaded around 32 million times, either warned users about suspicious websites or were used to convert files from one format to another. However, the extensions actually siphoned off users’ browsing history and other data that provided scammers with their credentials.
According to Gary Golomb, Awake Security co-founder and chief scientist, this was one of the most far-reaching campaigns in the Chrome Web Store to date.
The extensions used in the campaign were designed to avoid detection by antivirus software and other security software which evaluates the reputations of domains on the web. It is also unclear as to who designed the extensions as the developers supplied fake contact information to Google when they submitted them.
If a user downloaded one of the malicious extensions and then used Google Chrome on their home computer, they would connect to a series of websites and transmit information. However, users browsing on a corporate network would not transmit any sensitive information or even reach the attacker’s websites. The 15,000 domains used in the campaign were all purchased from a small Israeli domain registrar called Galcomm.
Security researcher from Tripwire’s vulnerability and exposure research team (VERT), Craig Young provided further insight on how extensions can undermine Chrome’s security, saying:
“The proliferation of browser extensions as conduits for all manner of online activity has been absolutely terrible for security. Chrome generally does well at resisting compromise from sophisticated exploits but extensions can undermine this security completely. When installing an extension, users must approve a permissions manifest defining what the extension can access but it’s likely that the majority of users are not reading or understanding the permission list.”
While extensions can certainly be useful, users should be wary about installing ones from unknown developers to avoid falling victim to potential scams online.
- We’ve also highlighted the best VPN services