Malware infected browser extensions stealing Chrome, Edge user data

Avast noted that the malware is quite tricky and does not execute itself if the victim is a web developer as it will be easy for them to identify its malicious activities.

Just last week it was reported that an infostealer malware is targeting popular browsers like Firefox, Chrome, Yandex, Edge browser. Now, the IT security researchers at Avast have identified several malware-infected third-party browser extensions running on Google Chrome, and Microsoft Edge browsers – These extensions are being used by around 3 million users around the world.

These extensions are developed to steal the personal data of users and redirect them to websites that are either compromised, running phishing scams, or bombarding visitors with unwanted ads.

According to Avast, most of these extensions hide behind services like video downloading for social media platforms mainly Facebook, Instagram, Vimeo, and VK, etc.

See: Chrome extensions with 80 million+ users found engaging in ad fraud

Upon installation, malicious code in the Javascript-based extensions lets attackers drop additional malware on the targeted device, says the report shared by Avast with Hackread.com.

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit, Avast wrote in a blog post.

Unsurprisingly, the motive behind the campaign is making money. Researchers believe that attackers are monetizing the traffic and get paid for every redirection to a third party domain.

Additionally, breaching user’s privacy to such an extent also lets attackers behind this campaign collect more information including victim’s email address, date of birth, time of signing in, last login, what operating system they are using, name of their device, what browser they are using and approximate geographical location history with the help of their IP address.

“Our hypothesis is that either the extensions were deliberately created with the malware built in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,” said Jan Rubín, Malware Researcher at Avast.

Rubin further noted that the campaign has been operating for several years without getting noticed which is probably possible because of the malware’s detection evading capabilities. For instance, it does not execute itself if the victim is a web developer as it will be easy for them to identify its malicious activities.

“The extensions’ backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover,” Rubín added.

List of malicious extensions identified by Avast:

At the time of publishing this article, the reported extensions were still available for download. The cybersecurity giant has informed Google and Microsoft about the issue.

See: 70 malicious Chrome extensions found spying on 32 million+ users

For now, if you have any of these extensions installed on your browser it is advised to disable and remove them. Also, refrain from using third-party apps, install reliable anti-virus software, scan your device regularly change your password on all social media accounts and email addresses. 

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter!