Google developed Chrome-a cross-platform web browser- in 2008. Google Chrome is the most used web browser. With the highest usage share on desktops, mobiles and tablets and over 2 billion active users, accessing the World Wide Web, Chrome has become a target of cyber crooks, often through malicious Chrome extensions.
In recent months, Chrome witnessed the frequent threats of fake or malicious Chrome extensions (also known as ad-ons). Awake Security, which has an integration with Google Cloud Platform (GCP) to detect malicious intent using AI, discovered over 100 malicious Chrome extensions. Earlier in April, Google rebuked 49 Chrome extensions from Web Store, claimed to steal Crypto-wallet keys. A batch of malicious extensions jolts Google, yet again. This time it is sought as a “planned global surveillance campaign”.
Awake Security discovered malicious Chrome extensions, gathering users’ browser history and sensitive information. On prompted, Google says from a batch of 111 it has removed 106 malicious extensions that had 32 million downloads. Most of the free extensions claimed to work as websites screeners, file format converters. Instead, they siphoned user browsing data and sensitive information(like payment credentials, passwords). Based on the number of downloads this spyware breach is believed to be the biggest malicious Web Store campaign to date!
Malicious Chrome Extensions’ Intent
The extensions designed to deftly bypass any security software and dupe any antivirus from being detected. The malicious Chrome extensions could also bypass the Google Chrome Web Store security to spy on users. This enabled the extensions to run in background executing crooked scripts. The extensions also exploited the renowned organizations with huge investments in cybersecurity!
If a user is surfing the web, these malicious extensions would connect to a series of websites and transfer user’s data, without his/her consent. However, anyone on a corporate network won’t face siphoning of data and credentials to the linked domains with the spyware.
These malicious extensions are equipped with browser-based surveillance tools. According to Awake Security, they can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.
The malicious Chrome extensions hijacked more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations.
Who’s behind this?
With over 32 million downloads, these 106 trojan Chrome extensions have established a persistent foothold in almost every network they penetrated. Awake termed this spyware attack as part of a coordinated and “mass global surveillance campaign”.
Most of the 15,000 re-directed domains were purchased from a web registrar in Israel, CommuniGal Communication Ltd. (GalComm). Awake Security alleged Galcomm that the registrar firm should have known what was happening.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.” Source: reuters.com
Though, the unidentified attacker behind this is still unknown. According to the codebases, description and version number, it’s believed that the spyware was related to the same threat actor. Awake Security said they could not pin down the threat actor, as fake contact details were supplied during submitting the malicious extensions on Web Store.
Google declined to discuss the magnitude of damage, or why did it not take necessary actions, despite promising robust security framework.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters. Source: reuters.com
These malicious Chrome extensions posing as risky spyware proves the inability of the tech giants to ensure safety for users all over the globe on their respective platforms. This lapse in security is evident from the frequent spyware attacks “reliable” platforms like Google Chrome is facing.
Safety Measures
- Always download from legit sources. Explore the firm before downloading a Chrome extension. Crooked developers usually provide false information about them(just as in this case), so it becomes necessary to look after the firm’s legitimacy.
There are numerous advertisements which lure the users to download extensions. And the majority of the times, they are potential threat actors, ready to spy on you the moment added on the browser. Beware of these imposters!
Sample of a lure to install a malicious Chrome extension - Whenever you download an extension it asks for permissions. And it is seen users click “Allow” without paying any heed about the permission. Read the permission asked carefully.
- Though security Softwares usually fail to provide a complete shield against malware, a genuine one goes a long way. Always keep security software like a firewall or a genuine antivirus.
In the end, it comes to the netizens to make the call. Through cyber ethics and proper awareness, one can prevent such notorious cyber-attacks. Stay Updated, Stay Safe!
