Malicious Browser Extensions Steal User Data
According to Cisco’s 2016 Annual Security Report, an estimated more than 85 percent of organizations are affected by malicious browser extensions.
Malicious browser extensions are one way to surreptitiously monitor and steal user activity and data. One particular extension, called iCalc under the guise of being a functional calculator, was spread via a malvertising campaign, targeting Google Chrome users.
Similar to Android Apps, Chrome extensions require certain permissions, such as access to your contacts, microphone, came and more. Those permissions can allow a malicious plugin to gain more access rights than necessary, typically, for the type of extension - especially, as in this case, a calculator.
A video demonstration of the extension installation on the security firm Malwarebyte’s blog shows a series of aggressive pop-up window prompts, the first one asking the user:
Add “iCalc”?
It can:
- Read and change all of your data on the websites you visit
But when the user presses the Cancel button, a secondary prompt asks if they’re sure they want to cancel install of the extension. When the No button is pressed, it simply loops back to the Add iCalc prompt.
If the user navigates their cursor toward the browser address bar or attempts to close the window, yet another prompt insists the user installs the extension, asking them to press Esc and add the extension.
The extension didn’t even have a calculator function - instead, it contained a set of scripts to create a proxy and intercept web requests, while taking commands and updates from a domain registered in Panama.
The malicious extension had been downloaded nearly 1,000 times before it was pulled from the Google Chrome web store. According to Malwarebytes, many adware developers push users to install extensions don’t really do much other than harvest browsing habits and reselling them to marketing companies for advertising purposes.
Exposing User Data via Browser Extensions
While some extensions are designed to be malicious, some extensions intended for security can actually seriously breach users’ privacy online.
Late last year, a Google researcher found a vulnerability in a free plugin installed by AVG AntiVirus that bypassed Google’s Chrome browser security. The plugin could potentially expose the browsing histories and other personal data to the Internet for over 9 million users that had the plugin installed in their browsers, according to Ars Technica.
AVG’s Web Tuneup tool is force-installed by the AVG AntiVirus product. The installation was performed in a way that broke the security checks that Chrome uses to test for malicious plugins and malware. The tool flags questionable search results to alert users of potentially malicious sites.
But the plugin could also be easily exploited by an attacker via cross-site scripting (XSS), according to Google Security researcher Tavis Ormandy. In an example exploit, Ormandy stole the authentication cookies from AVG’s website which exposed browsing history/other personal info online. The vulnerability has since been patched by AVG.
Protecting Against Malicious Browser Extensions
To protect against rogue browser extensions, take the same precautions you might when installing third-party applications on your smartphone, and read the permissions carefully. Check out the extension page in the download store, and if it looks sketchy (no screenshots, reviews or information), don’t install it. Below, the iCalc extension mentioned earlier has an empty listing in the Chrome Web Store.
Review your browser extension list and remove any that you don’t or rarely use. You can check which extensions you have installed by typing chrome://extensions/ in the address bar into the address bar.
As Cisco points out in their report, malicious browser extensions exfiltrate more than just information on a user’s browsing history; they’re also collecting URL-embedded information like user credentials, customer data, and information about an organization’s internal APIs and infrastructure. Protect against attackers using stolen online credentials to remotely log into your accounts by adding two-factor authentication.