{"id":27056,"date":"2023-12-15T16:11:33","date_gmt":"2023-12-15T16:11:33","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/dangerous-browser-extensions-2023\/27056\/"},"modified":"2023-12-15T16:11:46","modified_gmt":"2023-12-15T16:11:46","slug":"dangerous-browser-extensions-2023","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/dangerous-browser-extensions-2023\/27056\/","title":{"rendered":"Dangerous browser extensions"},"content":{"rendered":"

We often write here on these blog pages about how browser extensions can be very dangerous. To illustrate this fact, we decided to dedicate an article to it. In this post, we\u2019ll look at the most interesting, unusual, widespread, and dangerous cases involving malicious extensions in 2023. We\u2019ll also discuss what these extensions were capable of \u2014 and, of course, how to protect yourself from them.\n<\/p>\n

Roblox extensions with a backdoor<\/h2>\n

\nTo set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let\u2019s start with a story that began last year. In November 2022, two malicious extensions with the same name \u2014 SearchBlox \u2014 were discovered<\/a> in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.<\/p>\n

The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players\u2019 accounts and steal their in-game assets. After information about these malicious extensions was published<\/a> on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who\u2019d installed them.<\/p>\n

\"SearchBlox:<\/a>

Malicious SearchBlox extensions published in the Google Chrome Web Store hijacked Roblox players\u2019 accounts. Source<\/a><\/p><\/div>\n

However, the Roblox story doesn\u2019t end there. In August 2023, two more malicious extensions of a similar nature \u2014 RoFinder and RoTracker<\/a> \u2014 were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.<\/p>\n

\"RoTracker:<\/a>

The RoTracker malicious extension, also hosted on the Google Chrome Web Store. Source<\/a><\/p><\/div>\n

This suggests that the quality of moderation at the world\u2019s most official platform for downloading Google Chrome extensions leaves much to be desired, and it\u2019s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient \u2014 it often requires efforts from the media, security researchers, and\/or a large online community.\n<\/p>\n

Fake ChatGPT extensions hijacking Facebook accounts<\/h2>\n

\nIn March 2023, two malicious extensions<\/a> were discovered<\/a> in the Google Chrome Web Store within a few days of each other \u2014 both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate \u201cChatGPT for Google\u201d extension, offering integration of ChatGPT\u2019s responses into search engine results.<\/p>\n

The infected \u201cChatGPT for Google\u201d extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.<\/p>\n

\"Infected<\/a>

The infected version of \u201cChatGPT for Google\u201d looked just like the real thing. Source<\/a><\/p><\/div>\n

The trojanized copy of \u201cChatGPT for Google\u201d functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts<\/a> of users who\u2019d installed the infected extension.<\/p>\n

The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.<\/p>\n

\"Hijacked<\/a>

After being hijacked, the Facebook account started promoting ISIS content. Source<\/a><\/p><\/div>\n

In the other case, fraudsters created a completely original extension called \u201cQuick access to Chat GPT\u201d. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service\u2019s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension\u2019s creators to hijack Facebook business accounts.<\/p>\n

\"Quick<\/a>

\u201cQuick access to Chat GPT\u201d malicious extension. Source<\/a><\/p><\/div>\n

Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by \u2014 you guessed it \u2014 the business accounts they\u2019d already hijacked! This cunning scheme allowed the creators of \u201cQuick access to Chat GPT\u201d to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.\n<\/p>\n

ChromeLoader: pirated content containing malicious extensions<\/h2>\n

\nOften, creators of malicious extensions don\u2019t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim\u2019s browser.<\/p>\n

This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.<\/p>\n

This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023<\/a>, researchers reported the spread of ChromeLoader through VHD files<\/a> (a disk image format) disguised as hacked games or game \u201ccracks\u201d. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.<\/p>\n

A few months later, in June 2023<\/a>, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript<\/a> files were downloaded onto victims\u2019 computers, which then loaded and installed the malicious browser extension.<\/p>\n

\"ChromeLoader<\/a>

One of the sites that distributed the ChromeLoader malware under the guise of pirated content. Source<\/a><\/p><\/div>\n

Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn\u2019t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.\n<\/p>\n

Hackers reading Gmail correspondence using a spy extension<\/h2>\n

\nIn March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued<\/a> a joint report on the activities of the Kimsuky<\/a> cybercriminal group. This group uses an infected extension for Chromium-based browsers \u2014 Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale \u2014 to read the Gmail correspondence of their victims.<\/p>\n

The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it\u2019s installed. AF then automatically sends the victim\u2019s correspondence to the hackers\u2019 C2 server.<\/p>\n

Thus, Kimsuky manages to gain access to the contents of the victim\u2019s mailbox. What\u2019s more, they don\u2019t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner \u2014 in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.\n<\/p>\n

Rilide: malicious extension stealing cryptocurrency and bypassing two-factor authentication<\/h2>\n

\nCriminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023<\/a>, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.<\/p>\n

In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide\u2019s most interesting feature is its ability to bypass two-factor authentication.<\/p>\n

When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient\u2019s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.<\/p>\n

\"Promotion<\/a>

How the malicious Rilide extension was promoted on X (Twitter) under the guise of blockchain games. Source<\/a><\/p><\/div>\n

Rilide attacks users of Chromium-based browsers \u2014 Chrome, Edge, Brave, and Opera \u2014 by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it\u2019s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered \u2014 from malicious websites and emails to infected blockchain game<\/a> installers promoted on Twitter<\/span> X.<\/p>\n

One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation<\/a>. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.<\/p>\n

\"Rilide<\/a>

A step-by-step guide for installing the malicious extension, disguised as a security presentation for Zendesk employees. Source<\/a><\/p><\/div>\n

Dozens of malicious extensions in the Chrome Web Store \u2014 with 87 million downloads combined<\/h2>\n

\nAnd, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions<\/a> in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins \u2014 from tools for converting PDF files and ad blockers to translators and VPNs.<\/p>\n

The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they\u2019d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google\u2019s attention.<\/p>\n

\"Malicious<\/a>

The most popular of the malicious extensions \u2014 Autoskip for YouTube \u2014 had over nine million downloads from the Google Chrome Web Store. Source<\/a><\/p><\/div>\n

How to protect yourself from malicious extensions<\/h2>\n

\nAs you can see, dangerous browser extensions can end up on your computer from various sources \u2014including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes \u2014 from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it\u2019s important to take precautions:\n<\/p>\n