- DomainTools found more than 100 domains promoting fake browser extensions
- These extensions impersonated legitimate products and reputable businesses
- They were stealing sensitive data and executing malicious code remotely
Security researchers recently found more than 100 malicious browser extensions posing as legitimate tools. These extensions, distributed through various channels, but also found on the Google Chrome Web Store, were able to steal sensitive user information, as well as receive further commands to execute.
Google was notified of the findings and managed to remove most malware from its repository. Apparently, some still remain and continue to present a risk to the users.
This is all according to DomainTools, who claim to have spotted more than 100 fake domains promoting the tools, most likely through malvertising campaigns. The malware spoofed all sorts of legitimate products, from VPNs, to AI assistants, and cryptocurrency utilities, and impersonated some of the world’s biggest brands, including Fortinet, YouTube, or Calendly.
“The Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification,” DomainTools said. “However, the actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements.”
The full list of malicious domains can be found on this link.
Abusing extensions
Add-ons and extensions are a great way to expand the browser’s features and thus enhance user productivity in a business environment.
For example, tools like Asana, Trello, or Grammarly can streamline workflows and improve writing accuracy, while password managers like LastPass can improve credential management.
However, they also handle a lot of sensitive information and are granted high-level permissions, which is why they’re often on the threat actors’ radars. That being said, not only are hackers looking for ways to break into legitimate tools, they often build fake ones, too.
With spoofed add-ons, they can gain high-level privileges without raising alarms, and can access sensitive information stored in the browser, such as passwords, or credit card data.
It is important that users only install the add-ons from reputable sources such as the Chrome Web Store, but even there – they should read the reviews and mind the download count because, as seen in this example, crooks can sometimes smuggle malware even past the greatest of gatekeepers.
Via BleepingComputer
Leave a comment