Chrome Malware Extension Campaign Discovered: What Steps Do You Need To Take?

Cybersecurity firm Awake Security recently discovered a large-scale Chrome extension malware campaign designed to monitor users' networks without their knowledge.

According to Awake Security, at least 111 Chrome extensions contained malware and spying tools pulled from websites hosted by GalComm and these extensions had been downloaded at least 32 million times. That number does not include extension downloads occurring outside of the Chrome Web Store. 

GalComm used the malicious browser extensions to access millions of personal and corporate networks and collect a huge amount of data. Although the attack occurred on a massive scale, the extensions used "sophisticated circumvention methods to avoid detection."

The following Chrome extensions have been found to contain malware:

 

·      browse-safer

·      browsing-protector

·      browsing-safety-checker

·      bytefence-secure-browsing

·      convertwordtopdf

·      doctopdf

·      easyconvert

·      easyconvertdefault-search

·      gofiletopdf

·      mydocstopdf

·      pdf2doc

·      pdf-ninja-converter

·      pdf-opener

·      quicklogin

·      quickmail

·      search-by-convertfilenow

·      search-by-convertpdfpro

·      search-manager

·      secured-search-extension

·      secure-web-searching

·      securify-for-chrome

·      thedocpdfconverter

·      theeasywaypro

·      thesecuredweb-protected-b

·      ttab

·      viewpdf

 

Google has removed the malicious extensions on its store and will deactivate them soon. However, individual users must uninstall any unsafe extensions that they side-loaded from non-Google sources. Brendan Hesse "What You Need to Know About the Latest Chrome Extension Malware Campaign" lifehacker.com (Jun. 24, 2020).

 

Commentary

Malware designed to spy on users frequently shows up on Chrome extensions, even those included in Google’s Chrome Store. All Chrome users should double-check now that you aren’t using one of the infected extensions and learn how to avoid unsafe extensions in the future.

Check your current extensions by navigating to “Window” and selecting “Extensions.” If you see any of the extensions listed in the article, immediately delete the extension, turn off your device (or at least disconnect from the internet if you cannot turn it off), and have an information technology professional check it for malware before using your device again.

You must also learn how to reduce your risk of downloading a malware-containing extension, whether you use Chrome or another browser. Only download well-established extensions made by verified publishers from your browser’s official store. You can use the “By Google” search feature in the Chrome Extension store or check the list of Mozilla recommended add-ons.

Before downloading any extension, even well-known ones, confirm that the extension’s name, description, and details are all as expected and match each other. If downloading a less-established extension, make sure that the developer has a solid reputation. Check reviews to see if they are authentic or fake. Never download an extension outside of your browser’s official store or in response to a pop-up add. Avoid downloading redundant or unnecessary extensions.

Do not trust browser extensions that ask for more permission than they should based on their advertised purpose. Almost all of the malicious extensions identified by Awake Security asked for at least one permission that did not fit with their use. For example, malicious extensions may ask to take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, or grab user keystrokes. 

When you add an extension, it will pop up a document notifying you what the extension will do. Read through the list every time. If you are not comfortable with the extension’s capabilities, click “Cancel.”

If it is appropriate based on the function of the extension to collect data, make sure the publisher clearly outlines how the data will be used in a privacy policy. Having a privacy policy doesn’t guarantee safety—after all, cybercriminals are known for disseminating fraudulent content—but a lack of a privacy policy practically guarantees that your data is not safe.

Finally, your opinion is important to us. Please complete the opinion survey:

News

Are Your Employees Ransomware Ignorant?

A new survey suggests that many employees don't know what ransomware is or how to avoid it. Read tips for protecting your organization and its data. Read More

New Vulnerabilities Are Emerging: Addressing Multi-Vector Attacks Now Is Important

Cybercriminals are using more sophisticated techniques, including attacking Macs and multi-vector attacks. Learn what steps can prevent such attacks. Read More

Cyber Awareness Leads To Better Cybersecurity

Employers must stress cybersecurity practices for teleworking employees. We examine. Read More