A wave of malicious Google Chrome extensions has been discovered, secretly stealing sensitive business data, personal emails, and browsing history from unsuspecting users. These extensions, often disguised as productivity tools or utilities, pose a significant threat by exfiltrating valuable information to attacker-controlled servers, compromising user privacy and security on a large scale.

Key Takeaways

• Malicious Chrome extensions are actively stealing business data, emails, and browsing history.

• These extensions often masquerade as legitimate tools, making them difficult to detect.

• Millions of users have been affected by these campaigns.

• Users are urged to review installed extensions and practice safe browsing habits.

The Threat Landscape

Cybersecurity researchers have identified several campaigns involving malicious browser extensions. One notable example is the "CL Suite" extension, which claimed to offer features for Meta Business Suite and Facebook Business Manager, such as scraping data and removing verification pop-ups. However, it was found to be exfiltrating Two-Factor Authentication (2FA) codes, contact lists, and analytics data to a remote server.

Another significant discovery involved "Phantom Shuttle," a pair of extensions posing as proxy routing and network speed testing tools. These extensions, active since at least 2017, routed all user web traffic through attacker-controlled servers, capturing usernames, passwords, card details, and API tokens. Google has since removed these extensions from the Chrome Web Store.

Furthermore, a campaign dubbed "AiFrame" involved 32 extensions advertised as AI assistants. These extensions acted as proxies, granting remote access to sensitive browser capabilities and even targeting Gmail to read email content directly. Collectively, these AI-themed extensions had been installed by over 260,000 users.

Widespread Exploitation

These malicious extensions are not isolated incidents. A report highlighted a collection of 287 Chrome extensions that exfiltrate browsing history, with a combined total of 37.4 million installations. These extensions often pass user data to data brokers, further compromising privacy.

In another instance, approximately 500,000 VKontakte users had their accounts hijacked through extensions masquerading as VK customization tools. These extensions engaged in account manipulation, including forced subscriptions to attacker-controlled groups and resetting account settings.

Protecting Yourself

To mitigate the risks associated with malicious browser extensions, users are advised to:

• Install Extensions Judiciously: Only install extensions that are absolutely necessary and come from reputable developers.

• Review Permissions Carefully: Pay close attention to the permissions an extension requests before installation. Be wary of extensions asking for broad access to website data.

• Check Publisher Reputation: Research the developer and look for multiple well-reviewed extensions from them.

• Read Reviews Critically: Look beyond star ratings and read detailed user reviews for any red flags.

• Regularly Audit Extensions: Periodically review your installed extensions, disabling or removing any you no longer use or recognize.

• Use Strong Security Software: Employ reputable antivirus software and consider using a password manager to limit the damage if credentials are stolen.

• Enable Two-Factor Authentication (2FA): Add an extra layer of security to your online accounts.

By staying vigilant and adopting safe browsing practices, users can significantly reduce their exposure to these evolving threats.

Sources

• Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History, The Hacker News.

• Malicious Chrome extensions steal user data for years undetected from Chrome Web Store, Fox News.

• Malicious Chrome extensions caught stealing sensitive data, Kurt the CyberGuy.

• Millions of people spied on by malicious browser extensions in Chrome and Edge, Malwarebytes.

• Malicious browser extensions caught spying on 2 million users, Kurt the CyberGuy.