Malware, Patch/Configuration Management, Vulnerability Management

Scammers increasingly using rogue extensions to victimize Chrome and ChromeOS users

Despite the safety mechanisms baked into the Chrome browser and ChromeOS, Malwarebytes has found hackers are using rogue extensions to perform everything from malvertising attacks to installing adware.

Jerome Segura, a Malwarebytes senior security researcher, said cybercriminals are finding extensions are an excellent way to infiltrate Chrome and ChromeOS because, like apps, most users pay little attention to the permissions that must be agreed to prior to downloading an extension.

“This makes it an ideal situation for threat actors to aggressively push bogus apps and use a little bit of social engineering to coerce end users into downloading malware laden extensions,” Segura wrote in a blog.

Some of the malicious activity being conducted via these rogue extensions are data theft, spying and placing pop up ads.

One example of this type of activity discovered by Malwarebytes, involved a malvertising incident that pushed users to install a calculator Chrome extension called iCalc. Once opened there was no way to close the window or to even refuse to install the app. Instead it bombarded the victim with dialog and audio pop up messages. However, Segura noted that the extension was obviously fraudulent to a person paying attention.

“This extension had some telltale signs of being malicious beyond its aggressive distribution method. Although it was listed in the Chrome store, it had no screenshot information or reviews. It also required invasive permissions (Read and change all your data on the websites you visit) for being a calculator,” he said, adding once on board the computer it began to communicate with its home office to receive additional instructions.

Malwarebytes said the extension was available in the official Chrome web store and had been downloaded more than 1,000 times before its true nature was discovered and it was removed.

The calculator was barely even a shell to disguise the extension's true job, instead the code mainly contained scripts to create a proxy and perform web requests interceptions.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.