Most of the dangerous extensions masked themselves as ad blockers and were easily found by queries such as adblock, adguard, ublock, ad blocker, and so on. Were also discovered xtensions masked under weather widgets and utilities for creating screenshots.

In fact, 245 out of 295 extensions did not have any useful functionality for users and could only change the custom background for new tabs in Chrome.

All these extensions did not become malicious immediately: only after receiving the appropriate command from a remote server, they downloaded malicious code from fly-analytics.com, and then quietly injected ads into Google and Bing search results.

“For example, some extensions checked which page they run on. If it was Bing or Google search results, the malware downloaded an image from the lh3.googleusrcontent.com domain. This domain has nothing to do with Google, and the name is deliberately similar to confuse a potential observer”, – note the researchers.

In the image loaded in this way, ads are hidden using steganography, and the extension eventually embeds ads in search results.

Other extensions used the cookie stuffing technique, that is, after receiving a command from the command and control server, they discreetly installed special “partner” cookies on the victim’s machine. For example, if a user visited Booking.com, the attackers injected a “partner” cookie into the system, and when the user made a purchase, the author of the extension received a commission from Booking.com.

The researchers note that such fraudulent extensions share a number of common features, including:

• an extension downloaded more than 1,000,000 times cannot have 5-100 reviews in the Chrome Web Store;
• the fake ones use the source code of other ad blockers;
• such extensions have very short descriptions, maximum 2-3 paragraphs. They get to the top of search results in dishonest ways;
• the fake privacy policy is usually published in Google Docs or Notion;
• malicious extensions use Google Tag Manager, which allows their operators to change the tag at any time and completely change the extension code.

Currently, Google experts are already studying the experts’ report and are removing malware from the Chrome Web Store. Also, the removed extensions will be disabled in users’ browsers and marked as malware.

Let me remind you that only recently experts discovered Chrome largest spyware installation campaign.

The post 295 Chrome extensions injected ads in search results appeared first on Gridinsoft Blog.

Users installed spyware through 32,962,951 downloads of various malicious extensions.

“The Awake Security Threat Research Team has uncovered a massive global surveillance campaign exploiting the nature of Internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments. If anything, the severity of this threat is magnified by the fact that it is blatant and non-targeted — i.e. an equal opportunity spying effort”, — write Awake Security researchers.

Majority of free extensions are designed to warn users about suspicious web sites or convention of files from one format to another, however, in some cases, cybercriminals build in them additional functions to monitor user actions in the browser.

According to experts, the detected spyware installation campaign turned out to be the largest for Google Chrome in terms of the number of downloads.

Malware developers provided false contact information when they confirmed extensions to Google.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network”, — explained Awake Security specialists.

Experts have discovered more than 15 thousand malicious domains associated with each other, purchased from a small Galcomm registrar (also known as CommuniGal Communication Ltd) from Israel. According to Galcomm director Moshe Fogel, the company did not know anything about these malicious domains.

Researchers notified Google of their findings, and the company removed more than 70 malicious programs from the official Chrome Web Store.

Also, according to the findings of Awake Security – the problem leads to serious questions about the fragility of the Internet.

Enterprise security teams would do well to recognize that rogue browser extensions pose a significant risk especially as more of our digital life is now conducted within the browser. Moreover, this threat is one that bypasses a number of traditional security mechanisms including endpoint security solutions, domain reputation engines, web proxies and cloud-based sandboxes.

As we can see, “shit happens” even in such a proud security environment as Google Chrome. However, recently we talked about a literal illustration of this saying – Shitcoin Wallet for Google Chrome steals cryptocurrency passwords and keys.

The post Experts discovered Chrome largest spyware installation campaign appeared first on Gridinsoft Blog.