Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Malicious Browser Extensions Downloaded 3 Million Times

Researchers: 28 Third-Party Extensions Could Steal Data, Download Malware
Malicious Browser Extensions Downloaded 3 Million Times

Researchers at the security firm Avast have found 28 malicious third-party browser extensions used with Google Chrome and Microsoft Edge that have been downloaded about 3 million times. These extensions are capable of spreading malware, stealing information and altering search engine results.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

The malicious extensions' spoofed association with well-known apps, such as Facebook, Spotify and Instagram, to help cover up that they are designed to conduct malicious activities, including redirecting users to phishing websites or ads, collecting PII and browsing histories and downloading additional malware onto a victim's device, Avast reports.

"Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit," Avast says.

The researchers believe the extensions' developers are engaged in a click-jacking scheme and are being paid by the owners of the fraudulent websites where the victims are directed.

How Old Are Extensions?

Avast began monitoring these third-party extensions in November, but the company believes the extensions have been available since December 2018. Although Avast has warned Microsoft and Google about the malicious extensions, all remain available while those companies carry out their own investigations, Avast says.

Microsoft and Google did not immediately respond to a request for comment.

"Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular and then pushed an update containing the malware," Avast researcher Jan Rubin notes in the Thursday report. "It could also be that the author sold the original extensions to someone else after creating them and then his client introduced the malware afterwards."

Avast has created a free tool that can scan for and remove any of the malicious apps.

The malicious extensions are labeled as:

  • Direct Message for Instagram
  • Direct Message for Instagram
  • DM for Instagram
  • Invisible mode for Instagram Direct Message
  • Downloader for Instagram
  • Instagram Download Video & Image
  • App Phone for Instagram
  • App Phone for Instagram
  • Stories for Instagram
  • Universal Video Downloader
  • Universal Video Downloader
  • Video Downloader for FaceBook
  • Video Downloader for FaceBook
  • Vimeo Video Downloader
  • Vimeo Video Downloader
  • Volume Controller
  • Zoomer for Instagram and FaceBook
  • VK UnBlock
  • Odnoklassniki UnBlock
  • Upload photo to Instagram
  • Spotify Music Downloader
  • Stories for Instagram
  • Upload photo to Instagram
  • Pretty Kitty, The Cat Pet
  • Video Downloader for YouTube
  • SoundCloud Music Downloader
  • The New York Times News
  • Instagram App with Direct Message DM

Other Extension Issues

In June, Awake Security discovered 70 Chrome extensions could be used to steal users' credentials and security tokens, which were then removed.

And in February, Google removed 500 Chrome extensions from its online store after Duo Security researchers found that attackers were using them to steal browser data.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.