Google has removed 106 malicious and fake Chrome extensions being used in a global eavesdropping campaign.
The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.
Figures for the others not in the official marketplace are hard to calculate for obvious reasons.
“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.
After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.
Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”
Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, Anti-Virus and other defenses.
One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter.
If the connection is coming from a data center, web hosting service, transit networks, VPN or proxy, the request is redirected to a benign page.
In some cases, efforts were made to bypass the Chrome Web Store altogether.
They do so by loading a self-contained Chromium package instrumented with the malicious plugins. As most users don’t recognize the difference between Chrome and Chromium, when prompted to make the new browser their default, they frequently do – making their primary browser one which will happily continue to load malicious extensions from other GalComm related sources.
To check what extensions are installed in Chrome, click on the 3 dots in the upper right of Chrome then click “settings” and in the menu on the left you should see “extensions”. Click into extensions to review them by clicking on “details”. If you do not recognize or use a particular extension, click to remove them.
The report suggested the campaign could be tied to state-sponsored activity.
To review the full report, CLICK HERE.
Additional Information (From our monthly co-hosted radio show with Attorney Mark Greene “So What About That Law?”
David doesn’t allow Chrome to track his internet history or save website login passwords…
He did this to help improve security as well as minimize advertising. Passwords are saved as plain (readable) text in Chrome which you can look at and control in Chromes settings (click on the 3 dots on the upper right)
