In a troubling development for internet users, over 100 malicious Chrome browser extensions have been discovered that masquerade as benign utilities but harbor dangerous functionalities. These extensions, attributed to an unknown threat actor, have been active since February 2024, as revealed in a report by the DomainTools Intelligence (DTI) team.
The malicious extensions impersonate various seemingly legitimate services, including tools for productivity, media creation, and even virtual private networks (VPNs). Users are lured to install these extensions through websites designed to mimic the appearance of genuine applications. The DTI report notes, “the actor creates websites that masquerade as legitimate services,” further complicating the identification of these deceptive tools. More details were documented in their analysis, available here.
Once installed, these extensions can execute a range of nefarious actions, including credential theft, session hijacking, ad injection, and malicious redirects. The extensions achieve these illicit activities by granting themselves excessive permissions, allowing unfettered access to users’ browsing activities. An alarming feature of these extensions is their reliance on an event handler to execute code, which likely aids them in bypassing security measures like content security policy (CSP).
Despite efforts by Google to mitigate this threat by removing the harmful extensions from their platform, victims may still be at risk of being redirected to these fraudulent sites through conventional tactics such as phishing or social media manipulation. DomainTools indicated that many lure websites used tracking identifiers associated with Facebook, hinting at potential exploitations of social media platforms to attract unsuspecting users. For additional insights from the DTI, click here.
To protect themselves from such threats, experts advise users to only download extensions from verified developers, closely examine permissions requested during installation, and be vigilant about reviews, as malicious actors may inflate ratings deceitfully. Users should remain cautious and avoid installing lookalike extensions, as ratings and reviews could be manipulated to hide the true nature of these threats.