Malicious Chrome Extensions Downloaded Over 33 Million Times

Google has removed scores of malicious and fake Chrome extensions being used in a global eavesdropping campaign.

The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.

Figures for the others not in the official marketplace are hard to calculate for obvious reasons.

“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.”

Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”

Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, AV and other defenses.

“One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter,” the report explained.

“If the connection is coming from a data c ..

Support the originator by clicking the read the rest link below.