More and more services are available online without any additional software client. The secret is that they all run directly inside Internet browsers. Those browsers have also adapted through time, providing the possibility to add extensions, for thousands of different purposes. However, cybercriminals have been taking advantage of this situation for several years already and it is not going to stop. Kaspersky released a new report about this specific threat.
Browser extensions downloads
Browser extensions, also called add-ons, are mostly downloaded from official marketplaces or browser providers repositories, such as the Chrome Web Store or the Firefox Add-ons website. These platforms generally have processes to check if an extension is benign or could be a form of malware, but some skilled malware developers might still manage to bypass those checks. In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms.
Yet it also happens quite often that some add-ons developers provide their work on their own website, and allow the download and installation of their add-ons in the browser.
Browser extensions: the risks
Even without speaking about malicious add-ons, some extensions can be harmful to the user, in the way that it collects a lot of data from the web pages the user visits, allowing to make a full profile of the person browsing the data and possibly know way too much about him/her. This data can be shared or sold by the add-on developer to advertisers or other third parties. In the worst case, the data is not anonymized and sold raw.
Another risk lies in the fact that once an add-on is installed, it can be updated without requiring any action from the end user, meaning that a legitimate add-on might suddenly be compromised and start spreading malware, as happened with the CopyFish add-on. A developer might also give up on developing his/her tool and sell it or give it to another developer, who might turn it into malware.
SEE: Mobile device security policy (TechRepublic Premium)
Malicious add-ons statistics
Kaspersky analyzed data between January 2020 and June 2022 and provided metrics about this threat.
Since 2020, they have blocked malicious add-ons downloads for 6 057 308 users, most of them being in 2020 (Figure A).
As can be seen on the chart, H1 2022 has already almost reached the level of the whole 2021 year and will probably increase in the last part of the year.
The most common threat spreading via browser extensions is adware, which consists of having code inside the extension to show unwanted advertisements in the browser while the user browses websites. Those advertisements are pushed by affiliate programs, in an effort to bring more potential customers to their websites (Figure B).
Kaspersky’s researchers indicate that adware represents about 70% of the whole browser extension threat.
The second most widespread threat is malware, most malware is aimed at stealing credentials, cookies and data copied to the clipboard. While the main use for this kind of malware is to steal valid credentials for websites and credit card data, it can also be used for cyberespionage. Between 2020 and 2022, 2.6 million unique users encountered malware download attempts.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Kaspersky provides several examples of malicious extensions, two of them really standing out from the mass.
H1 2022 showed WebSearch as the most common threat, hitting 876 924 unique users. The threat mimics tools for working with documents, such as .DOC to .PDF file converters and document mergers, among others.
It changes the start page of the user’s browser, providing links to third party resources. The transition to these resources is carried out through affiliate links. As written by Kaspersky, “the more often users follow these links, the more money the extension developers make.”
The default search engine is also modified to one which can capture queries, collect and analyze them, in order to promote relevant partner sites in the search results (Figure C).
The clever part of it is that the add-on still provides the functionalities the user installed it for, usually PDF converter, so the user does not uninstall it.
It is not available on the Chrome Web Store but can still be downloaded from third-party resources.
One of the most dangerous family of malicious browser extensions is currently FB Stealer, aimed at stealing Facebook cookies in addition to changing the search engine. The cookie theft allows an attacker to log in to the victim’s Facebook account and get the whole control of it, often changing the password to kick out the legitimate user before using the account for different scams. FB Stealer is installed on the browser by a malware, not by the user.
What happens is that users download and get infected by the Nullmixer malware, often disguised as a cracked software installer. Once run, it quietly installs the FB Stealer browser extension malware on the computer.
How to protect from those threats?
It is advised to always keep the browser up to date and patched. Also, it is strongly advised to have all browser data being analyzed by security products.
Most malicious add-ons need extra privileges to fully run. Users should always carefully examine the privileges requested by a new add-on they are installing.
Add-ons should only be downloaded from trusted sources, since malicious add-ons are often distributed via third-parties resources where no one checks their security like official web stores do.
Finally, users should periodically review their installed extensions and check if it is still really necessary. If not, it should be uninstalled.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.