Malicious Browser Extensions Targeted Over a Million Users So Far This Year

More
than
1.31
million
users
attempted
to
install
malicious
or
unwanted
web
browser
extensions
at
least
once,
new
findings
from
cybersecurity
firm
Kaspersky
show.

“From
January
2020
to
June
2022,
more
than
4.3
million
unique
users
were
attacked
by
adware
hiding
in
browser
extensions,
which
is
approximately
70%
of
all
users
affected
by
malicious
and
unwanted
add-ons,”
the
company

said
.

As
many
as
1,311,557
users
fall
under
this
category
in
the
first
half
of
2022,
per
Kaspersky’s
telemetry
data.
In
comparison,
the
number
of
such
users
peaked
in
2020
at
3,660,236,
followed
by
1,823,263
unique
users
in
2021.

The
most
prevalent
threat
is
a
family
of
adware
called
WebSearch,
which
masquerade
as
PDF
viewers
and
other
utilities,
and
comes
with
capabilities
to
collect
and
analyze
search
queries
and
redirect
users
to
affiliate
links.

WebSearch
is
also
notable
for
modifying
the
browser’s
start
page,
which
contains
a
search
engine
and
a
number
of
links
to
third-party
sources
like
AliExpress
that,
when
clicked
by
the
victim,
help
the
extension
developers
earn
money
through
affiliate
links.

“Also,
the
extension
modifies
the
browser’s
default
search
engine
to
search.myway[.]com,
which
can
capture
user
queries,
collect
and
analyze
them,”
Kaspersky
noted. “Depending
on
what
the
user
searched
for,
most
relevant
partner
sites
will
be
actively
promoted
in
the
search
results.”

A
second
set
of
extensions
involve
a
threat
named
AddScript
that
conceals
its
malicious
functionality
under
the
guise
of
video
downloaders.
While
the
add-ons
do
offer
the
advertised
features,
they
are
also
designed
to
contact
a
remote
server
to
retrieve
and
execute
a
piece
of
arbitrary
JavaScript
code.

Over
one
million
users
are
said
to
have
encountered
adware
in
H1
2022
alone,
with
WebSearch
and
AddScript
targeting
876,924
and
156,698
unique
users.

Also
found
were
instances
of
information-stealing
malware
like
FB
Stealer,
which
aim
to
steal
Facebook
login
credentials
and
session
cookies
of
logged-in
users.
FB
Stealer
has
been
responsible
for
3,077
unique
infection
attempts
in
H1
2022.

The
malware
primarily
singles
out
users
on
the
lookout
for
cracked
software
on
search
engines,
with
FB
Stealer
delivered
through
a
trojan
called
NullMixer,
which
propagates
through
cracked
installers
for
software
such
as
SolarWinds
Broadband
Engineers
Edition.

“FB
Stealer
is
installed
by
the
malware
rather
than
by
the
user,”
the
researchers
said. “Once
added
to
the
browser,
it
mimics
the
harmless
and
standard-looking
Chrome
extension
Google
Translate.”

These
attacks
are
also
financially-motivated.
The
malware
operators,
after
getting
hold
of
the
authentication
cookies,
log
in
to
the
target’s
Facebook
account
and
hijack
it
by
changing
the
password,
effectively
locking
out
the
victim.
The
attackers
can
then
abuse
the
access
to
ask
the
victim’s
friends
for
money.

The
findings
come
a
little
over
a
month
after
Zimperiumm
disclosed
a
malware
family
called

ABCsoup

that
masquerades
as
a
Google
Translate
extension
as
part
of
an
adware
campaign
targeting
Russian
users
of
Google
Chrome,
Opera,
and
Mozilla
Firefox
browsers.

To
keep
the
web
browser
free
of
infections,
it’s
recommended
that
users
stick
to
trusted
sources
for
downloading
software,
review
extension
permissions,
and
periodically
review
and
uninstall
add-ons
that “you
no
longer
use
or
that
you
do
not
recognize.”

Leave a Reply

Your email address will not be published. Required fields are marked *