Jump to content

Chrome extensions - Discovery of a Massive Surveillance Campaign

GHARIB

By GHARIB
in Technology

 Share

Recommended Posts

GHARIB Grand Master

GHARIB

Posted
Posted (edited)

HIGHLIGHTS:

 

- More than 33 million downloads

- 111 malicious or fake Chrome extensions (from the GOOGLE Official Store - removed in JUNE 2020)

- 15,160 malicious/suspicious domains

 

 

 

MILLIONS of Google Chrome users may have had their intimate web browsing history hacked as security experts discover malicious spyware extensions, which have been downloaded more than 30 million times.

Quote

This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input. Google has taken down these extensions following Awake’s disclosure. However, this campaign was able to avoid detection by state-of-the-art security tools through a number of evasion schemes.

 

Exemple of FAKE extension (infected):

 

fig2.thumb.png.bfdc9b7ab157f380eece01a3fce0e96f.png

 

 

Discovered by Awake Security Team,  these 3 months they have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.

 

 

After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network.

 

fig9.thumb.png.d0b983df4013cda4efcee678fb543588.png

 

galcomm-chrome-extension-activity2.jpg.6048228ab7ae779da84fe3508396268e.jpg

 

 

 

 

Fortunately, these were live until May 2020 when they were finally reported to Google by the researchers and got removed from the Chrome store.

 

For further information:

https://awakesecurity.com/white-papers/the-internets-new-arms-dealers-malicious-domain-registrars/

 

Edited by GHARIB
  • Thanks 2
  • Confused 1
  • Surprise 1
Link to comment
Share on other sites
ChaOs Newbie

ChaOs

Posted
Posted (edited)

What kind of "infection" the end users could expect.

Or other question: how does the infected code go from the browser directly to the computer?

Browser cache btw. is not enough to infect computers. Because Chrome and other browsers create 'cache' blocks to prevent exploits.

 

Always interested in browser security.

Edited by ChaOs
Link to comment
Share on other sites
  • 1 year later...
Makovey Newbie

Makovey

Posted
Posted
On 6/20/2020 at 1:10 PM, GHARIB said:

HIGHLIGHTS:

 

- More than 33 million downloads

- 111 malicious or fake Chrome extensions (from the GOOGLE Official Store - removed in JUNE 2020)

- 15,160 malicious/suspicious domains

 

 

 

MILLIONS of Google Chrome users may have had their intimate web browsing history hacked as security experts discover malicious spyware extensions, which have been downloaded more than 30 million times.

 

Exemple of FAKE extension (infected):

 

fig2.thumb.png.bfdc9b7ab157f380eece01a3fce0e96f.png

 

 

Discovered by Awake Security Team,  these 3 months they have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.

 

 

After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network.

 

fig9.thumb.png.d0b983df4013cda4efcee678fb543588.png

 

galcomm-chrome-extension-activity2.jpg.6048228ab7ae779da84fe3508396268e.jpg

 

 

 

 

Fortunately, these were live until May 2020 when they were finally reported to Google by the researchers and got removed from the Chrome store.

 

For further information:

https://planable.io/blog/best-chrome-extensions-social-media-marketers/

 


Lately, there have been a lot of data leaks in either Chrome or Facebook. In my opinion, their platforms are a little outdated for this time as they are quite vulnerable. I know that most of my friends have started using DuckDuckGo, citing its privacy, but for now I will just use antivirus to protect my computer from any malicious attacks, hopefully that will help.

Link to comment
Share on other sites
  • 3 months later...
GHARIB Grand Master

GHARIB

Posted
  • Author
Posted (edited)
On 6/20/2020 at 12:11 PM, ChaOs said:

What kind of "infection" the end users could expect.

Or other question: how does the infected code go from the browser directly to the computer?

Browser cache btw. is not enough to infect computers. Because Chrome and other browsers create 'cache' blocks to prevent exploits.

 

Always interested in browser security.

 

Sorry to "revive" this topic, I have just noticed this observation!


It is not only about browsers itself (even if it runs through the browser) , but about the software you have installed (to be ran in/through the browser)

 

Chrome, Discord, Enemy Territory, your printer software management or your antivirus, are all on the same layer (Application) They are all independant of each other, and not related. And each can establish a TCP/UDP session on its own side, if you have given to it all privileges for it -  in OS architecture they are all equal in the layer!

 

In this specific case, your Browser is not strictly speaking infected  - >  your extension is !

Edit : For the extensions, it is very similar as a "desktop" application, they run at the application layer, BUT running in the browser, it completely bypasses a lot of protections!

 

I will quote Jake Williams in wired.com from Rendition Infosec

Quote

“It's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published."

 

https://www.wired.com/story/chrome-extension-malware/

Quote

The crucial thing you can do to protect yourself from malicious Chrome extensions is to choose what you download carefully and only use extensions from trusted sources, whether you're in the Chrome Web Store or getting an extension from a specific developer. It’s also important to check what permissions each extension asks for when you install it, to make sure there’s nothing strange in the list, like a calculator tool that wants access to your webcam. And regularly review the list of Chrome extensions you have installed by going to “Window” and then “Extensions,” so you can catch anything you don’t want and use that has snuck in.

Quote

Part of the problem: Chrome is already a trusted application. When users give it permission to run certain code, like an extension, their operating system and most antivirus products usually give it a free pass.

 

If you have given the privileges to your downloaded extension or software to write or read (for example your personnal files, your photos -> "do you allow this app to access internet, to your microphone, camera, files , photo gallery, etc...?) -> this is the threat!

 

Your data is leaked and analyzed by third party :(

 

 

 

 

Edited by GHARIB
modified for better explanation
Link to comment
Share on other sites
Daddy Mentor

Daddy

Posted
Posted
2 hours ago, GHARIB said:

If you have given the privileges to your downloaded software to write or read (for example your personnal files, your photos -> "do you allow this app to access internet, to your microphone, camera, files , photo gallery, etc...?) -> this is the threat!

 

Your data is leaked and analyzed by third party :(

 

 

 

 

 

Very interesting your observation Gharib

And imagine it in our cellphone? all appls that is donwloaded to our phone ask about the privilegy to take photos, cam, gallery, text, local position etc etc ... and if us not give the autorization, the appl not works.
So we are not alone in the universe ... there are always someone check our information

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept