Browser extension threat targets millions of users
More and more services are available online without additional client software. The secret is that they all run directly in internet browsers. These browsers have also adapted over time, offering the possibility of adding extensions, for thousands of different purposes. However, cybercriminals have been taking advantage of this situation for several years already and it is not going to stop. Kaspersky has released a new report on this specific threat.
Browser extension downloads
Browser extensions, also known as add-ons, are mostly downloaded from official marketplaces or browser vendor repositories, such as the Chrome Web Store or the Firefox Add-ons website. These platforms usually have processes to check if an extension is benign or might be some form of malware, but some skilled malware developers can still manage to bypass these checks. In 2020, 106 browser extensions were removed from the Chrome Web Store, used to steal user data, take screenshots, or even steal credit card information from web forms.
Yet, it also quite often happens that some add-on developers provide their work on their own website and allow their add-ons to be downloaded and installed in the browser.
Browser extensions: the risks
Even without talking about malicious add-ons, some extensions can be harmful to the user, since they collect a lot of data from the web pages visited by the user, allowing to create a complete profile of the person browsing about the data and possibly know too much about him/her. This data may be shared or sold by the add-on developer to advertisers or other third parties. In the worst case, the data is not anonymized and sold raw.
Another risk is that once an add-on is installed, it can be updated without requiring any action from the end user, which means that a legitimate add-on could suddenly be compromised and start spreading malware, as happened with the CopyFish addition. -on. A developer can also give up developing his tool and sell it or give it to another developer, who could turn it into malware.
SEE: Mobile Device Security Policy (TechRepublic Premium)
Malicious add-ons statistics
Kaspersky analyzed data between January 2020 and June 2022 and provided metrics on this threat.
Since 2020, they have blocked downloads of malicious add-ons for 6,057,308 users, most in 2020 (Figure A).
As can be seen from the chart, the first half of 2022 has already almost reached the level of the whole of 2021 and will probably increase in the latter part of the year.
The most common threat that spreads via browser extensions is adware, which consists of having code inside the extension to display unwanted advertisements in the browser while the user is browsing websites . These advertisements are pushed by affiliate programs, with the aim of attracting more potential customers to their websites (Figure B).
Kaspersky researchers indicate that adware accounts for around 70% of all browser extension threats.
The second most prevalent threat is malware, most malware aims to steal credentials, cookies, and data copied to the clipboard. Although the main use of this type of malware is to steal valid credentials for websites and credit card data, it can also be used for cyber espionage. Between 2020 and 2022, 2.6 million unique users encountered attempts to download malware.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Examples of threats
Kaspersky provides several examples of malicious extensions, two of which really stand out.
The first half of 2022 showed WebSearch to be the most common threat, affecting 876,924 unique users. The threat mimics tools for working with documents, such as .DOC to .PDF file converters and document merges, among others.
It modifies user’s browser start page, providing links to third party resources. The transition to these resources is made through affiliate links. As Kaspersky writes, “the more users follow these links, the more money the extension developers earn.”
The default search engine is also changed to one that can capture queries, collect and analyze them, to promote relevant partner sites in search results (Figure C).
The smart part is that the add-on still provides the functionality the user installed it for, usually a PDF converter, so the user doesn’t uninstall it.
It is not available on the Chrome Web Store but can still be downloaded from third-party resources.
One of the most dangerous malicious browser extension families currently is FB Stealer, which aims to steal Facebook cookies in addition to changing the search engine. Stealing cookies allows an attacker to log into the victim’s Facebook account and take full control of it, often changing the password to kick out the legitimate user before using the account for various scams. FB Stealer is installed on the browser by malware, not by the user.
What happens is that users download and get infected with Nullmixer malware, often disguised as a pirated software installer. Once executed, it stealthily installs FB Stealer browser extension malware on the computer.
How to protect against these threats?
It is advisable to always keep the browser updated and patched. In addition, it is strongly advised to have all browser data scanned by security products.
Most malicious add-ons need additional privileges to work fully. Users should always carefully consider the privileges requested by a new add-on they install.
Add-ons should only be downloaded from trusted sources because malicious add-ons are often distributed via third-party resources where no one checks their safety like official online stores do.
Finally, users should periodically review their installed extensions and check if it is still really necessary. If not, it must be uninstalled.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.