Google has withdrawn 500 malware-driven Chrome extensions from its Web Store as malicious advertisements and user surfing injections have been detected on servers under attacker power. These extensions were part of a malicious and ad-fraud program that has been operating since January 2019 at least, although evidence shows that the actor under the scheme may be functioning since 2017. Researchers Jamila Kaya and Cisco-owned Duo Security, who released 70 Chromium extensions with over 1 million installs, have investigated them in a joint investigation.
After privately sharing the discovery with Google, the company found 430 more problem-saving browser extensions. "If tracking-backed publicity remains all-around, and especially if users remain underserved by protective systems, the prevalence of malvertising will continue to rise," says Jacob Rickerd in the study, both of Kaya and Duo Security.
The researchers have been able to verify that the browser plugins running by unexpectedly linking the browser clients with an attacker-controlled command-and-control (C2) server allowing the exfiltration of privately owned browsing data without user awareness using Duo Security's Chrome security assessment tool — CRXcavators —. The plugins, which were marketed and sold, had nearly identical source code, although the names of the apps were different, thus avoiding Chrome Web Store detection mechanisms.
In order to check for instructions for uninstalling themselves from your browser as well as for demanding comprehensive authorization that gives the plug-ins access to clipboards and all cookies locally stored in your browser, you periodically linked to a domain with the same plugin (i.e. Mapstrekcom, Arcade Yumcom).
When they first accessed the website, the plugins later contact a hard-coded domain C2— e.g. DTSINCEcom — to search for further guidance and places where user data can be submitted and lists of ads modified and domains redirected, which eventually redirected user browsing sessions to a mix of legitimate websites."Benign traffic sources, leading to ads like Macy's, Dell or Best Buy are a large part of these," the study said. "Some of these ads may be considered legit; however, the ad origins lead to a malicious site 60% to 70% of the time it redirects."
This is not the first time that Chrome browser data-robber extensions have been found. Sam Jadali and the Washington Post, security researchers, discovered last July a massive data leak known as DataSpii, orchestrated by dubious Chrome and Firefox plugins, installed on more than four million users. Such additional information collected navigation activities— including personally identifiable data— and exchanged this information with an unidentified third-party data broker who forwarded it to an analytics company called Nacho Analytics (now shut down), which then sold the data collected in almost real time to its customer.
As a result, from 15 October 2019, Google had required extensions to request access to only "less data" to restrict any extensions which do not include a privacy policy, and to collect information about the browsing habits of users. The same precautionary rule applies at present: check your extension permissions, suggest uninstalling extensions that are seldom used, or move to alternative software which doesn't require intrusive browser access.
0
15
Written by
Secure
Secure
4 years ago
Written by
Secure
Secure
4 years ago