A recent attack called Catch-All spreads a Google Chrome extension via phishing emails, stealing data posted online by users.
The email had links to photos sent via WhatsApp - when users clicked on the links, they would actually download an executable that launched a fake Adobe PDF Reader install screen. The executable also downloaded and unzipped two files, executing a CAB file that contained two very large files that:
- Ended Google Chrome processes
- Attempted to disable Windows Firewall
- Included code to bloat the file as a potential strategy to bypass antivirus solutions that typically don't inspect large files
There is a threshold size of downloaded files set to prevent system resources from becoming overloaded; an example is Fortiguard’s default setting of 10 MB.
Once one of the files had cleared a path, it installed the malicious Chrome extension and changed the Google Chrome launcher files to load it on next execution, according to the security researchers. To load the extension, the file disabled other security features, effectively:
- Allowing Chrome to run plugins without authorization
- Allowing extensions to inject script into file URLs, without user opt-in
- Disabling Chrome's Safe Browsing download protection, allowing files to pass by unverified
Once installed, the extension stole user data posted by users on websites (including email addresses and passwords), and sent it back to the attacker’s command & control server.
This type of attack is different and perhaps more successful than others because it didn’t require any spoofed websites, forged SSL certificates, etc. - the attacker was able to stealthily steal leaked data as the user browsed legitimate websites.
Other Cases of Malicious Chrome Extensions
In mid-October, SwiftonSecurity found over 37,000 users had downloaded a malicious extension the Chrome Web Store that mimicked the look of AdBlock Plus ad blocker. It had been available for about a month. A day after Google removed the malicious extension, developers slipped two other malicious plugins into the Chrome Web Store.
Another malicious Chrome extension disguised as a URL shortener was actually stealing users’ CPU power without their consent; downloading Coinhive file, a JavaScript code that allows web admins to mine the cryptocurrency known as Monero, as reported by cryptocoins news. This was the second malicious mining extension discovered this month; earlier, an extension called SafeBrowse was pulled from the web store.
While there is ongoing discussion among Google engineers of features they could build into Chrome to stop cryptocurrency miners, protecting against unauthorized access and the use of stolen passwords remains the same, regardless of how they’re stolen - use strong methods of two-factor authentication, including U2F and push notifications can help keep access secure.