Extensions are introducing adware, stealing user credentials, and redirecting to malware distribution sites.

Researchers at Cato Networks have identified Twenty-four malicious Google Chrome browser extensions. The malicious activity found includes stolen credentials, adware installation, and redirection to malware distribution sites.

While Google generally does a good job removing and blocking malicious Chrome extensions, these newly identified extensions were not previously tagged as malicious by endpoint protection systems (EPPs) or threat intelligence (TI). These extensions can steal credentials and financial information, leaving enterprises at risk.  Cato noted many instances of this activity already reported.

A Hot Target

Chrome is a hot target for malicious extensions because of how many users the browser has. While an exact number of Chrome extensions that may be harmful isn’t sure, even a tiny percentage of extensions can infect millions of Internet users.

Researchers discovered over 100 malicious Google Chrome extensions last June. These extensions were being used globally to take screenshots, steal credentials, and perform other malicious activities. There were over 32 million downloads of these extensions, according to Awake Security.

Malicious Chrome Extensions

In February of 2020, Google had removed approximately 500 Chrome extensions from its Web Store after security researchers pointed out the inappropriate activity. It’s estimated that this malicious activity affected 1.7 million users.

In a recent report, Cato Networks identified 97 out of 551 Chrome extensions as potentially being problematic. Next, Cato manually inspected each of the 551 extensions to verify any potentially malicious activity. This resulted in 87 extensions identified as malicious. 24 of those extensions were not before identified as problematic.

Malicious Chrome Extensions

Avenues for Malicious Chrome Extension Activity

While Google has multiple security methods to identify problematic extensions, research shows that bad actors are still finding ways of introducing malicious extensions into user’s browsers.

Access through unofficial stores, bypassing Chrome’s blocking of unofficial extensions, and sneaking malicious code into updates are all being identified as potential avenues for malicious activity. Bad actors may also purchase rights to legitimate Chrome extensions and then modify them.

What’s Next

This malicious activity highlights the limitations of protection systems such as EPPs and TI. To avoid potentially harmful activity via malicious browser extensions, Cato recommends that enterprises first define and maintain a whitelist policy of extension IDs allowed in the organization.

Organizations should also ensure whitelisted extensions are from Google’s official Chrome Web Store only and assess the permissions granted by the extension. Enterprises will also need to monitor for browsers with poor security settings and identify periodic communication with C&C servers.

LEARN MORE

Share This Story, Choose Your Platform!

Let’s have a 15-minute video call

We are now taking on new clients.