Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management
Malicious Browser Extensions Downloaded 3 Million Times
Researchers: 28 Third-Party Extensions Could Steal Data, Download MalwareResearchers at the security firm Avast have found 28 malicious third-party browser extensions used with Google Chrome and Microsoft Edge that have been downloaded about 3 million times. These extensions are capable of spreading malware, stealing information and altering search engine results.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The malicious extensions' spoofed association with well-known apps, such as Facebook, Spotify and Instagram, to help cover up that they are designed to conduct malicious activities, including redirecting users to phishing websites or ads, collecting PII and browsing histories and downloading additional malware onto a victim's device, Avast reports.
"Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit," Avast says.
The researchers believe the extensions' developers are engaged in a click-jacking scheme and are being paid by the owners of the fraudulent websites where the victims are directed.
How Old Are Extensions?
Avast began monitoring these third-party extensions in November, but the company believes the extensions have been available since December 2018. Although Avast has warned Microsoft and Google about the malicious extensions, all remain available while those companies carry out their own investigations, Avast says.
Microsoft and Google did not immediately respond to a request for comment.
"Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware," Avast researcher Jan Rubin notes in the Thursday report. "It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards."
Avast has created a free tool that can scan for and remove any of the malicious apps.
The malicious extensions are labeled as:
- Direct Message for Instagram
- Direct Message for Instagram
- DM for Instagram
- Invisible mode for Instagram Direct Message
- Downloader for Instagram
- Instagram Download Video & Image
- App Phone for Instagram
- App Phone for Instagram
- Stories for Instagram
- Universal Video Downloader
- Universal Video Downloader
- Video Downloader for FaceBook
- Video Downloader for FaceBook
- Vimeo Video Downloader
- Vimeo Video Downloader
- Volume Controller
- Zoomer for Instagram and FaceBook
- VK UnBlock
- Odnoklassniki UnBlock
- Upload photo to Instagram
- Spotify Music Downloader
- Stories for Instagram
- Upload photo to Instagram
- Pretty Kitty, The Cat Pet
- Video Downloader for YouTube
- SoundCloud Music Downloader
- The New York Times News
- Instagram App with Direct Message DM
Other Extension Issues
In June, Awake Security discovered 70 Chrome extensions could be used to steal users' credentials and security tokens, which were then removed.
And in February, Google removed 500 Chrome extensions from its online store after Duo Security researchers found that attackers were using them to steal browser data.