GHARIB Posted June 20, 2020 Posted June 20, 2020 (edited) HIGHLIGHTS: - More than 33 million downloads - 111 malicious or fake Chrome extensions (from the GOOGLE Official Store - removed in JUNE 2020) - 15,160 malicious/suspicious domains MILLIONS of Google Chrome users may have had their intimate web browsing history hacked as security experts discover malicious spyware extensions, which have been downloaded more than 30 million times. Quote This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input. Google has taken down these extensions following Awake’s disclosure. However, this campaign was able to avoid detection by state-of-the-art security tools through a number of evasion schemes. Exemple of FAKE extension (infected): Discovered by Awake Security Team, these 3 months they have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc. After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network. Fortunately, these were live until May 2020 when they were finally reported to Google by the researchers and got removed from the Chrome store. For further information: https://awakesecurity.com/white-papers/the-internets-new-arms-dealers-malicious-domain-registrars/ Edited June 20, 2020 by GHARIB 2 1 1 Quote
ChaOs Posted June 20, 2020 Posted June 20, 2020 (edited) What kind of "infection" the end users could expect. Or other question: how does the infected code go from the browser directly to the computer? Browser cache btw. is not enough to infect computers. Because Chrome and other browsers create 'cache' blocks to prevent exploits. Always interested in browser security. Edited June 20, 2020 by ChaOs Quote
Makovey Posted November 24, 2021 Posted November 24, 2021 On 6/20/2020 at 1:10 PM, GHARIB said: HIGHLIGHTS: - More than 33 million downloads - 111 malicious or fake Chrome extensions (from the GOOGLE Official Store - removed in JUNE 2020) - 15,160 malicious/suspicious domains MILLIONS of Google Chrome users may have had their intimate web browsing history hacked as security experts discover malicious spyware extensions, which have been downloaded more than 30 million times. Exemple of FAKE extension (infected): Discovered by Awake Security Team, these 3 months they have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc. After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network. Fortunately, these were live until May 2020 when they were finally reported to Google by the researchers and got removed from the Chrome store. For further information: https://planable.io/blog/best-chrome-extensions-social-media-marketers/ Lately, there have been a lot of data leaks in either Chrome or Facebook. In my opinion, their platforms are a little outdated for this time as they are quite vulnerable. I know that most of my friends have started using DuckDuckGo, citing its privacy, but for now I will just use antivirus to protect my computer from any malicious attacks, hopefully that will help. Quote
GHARIB Posted March 24, 2022 Author Posted March 24, 2022 (edited) On 6/20/2020 at 12:11 PM, ChaOs said: What kind of "infection" the end users could expect. Or other question: how does the infected code go from the browser directly to the computer? Browser cache btw. is not enough to infect computers. Because Chrome and other browsers create 'cache' blocks to prevent exploits. Always interested in browser security. Sorry to "revive" this topic, I have just noticed this observation! It is not only about browsers itself (even if it runs through the browser) , but about the software you have installed (to be ran in/through the browser) Chrome, Discord, Enemy Territory, your printer software management or your antivirus, are all on the same layer (Application) They are all independant of each other, and not related. And each can establish a TCP/UDP session on its own side, if you have given to it all privileges for it - in OS architecture they are all equal in the layer! In this specific case, your Browser is not strictly speaking infected - > your extension is ! Edit : For the extensions, it is very similar as a "desktop" application, they run at the application layer, BUT running in the browser, it completely bypasses a lot of protections! I will quote Jake Williams in wired.com from Rendition Infosec Quote “It's trivial for an attacker to get their extension published and then change the behavior dynamically after it's published." https://www.wired.com/story/chrome-extension-malware/ Quote The crucial thing you can do to protect yourself from malicious Chrome extensions is to choose what you download carefully and only use extensions from trusted sources, whether you're in the Chrome Web Store or getting an extension from a specific developer. It’s also important to check what permissions each extension asks for when you install it, to make sure there’s nothing strange in the list, like a calculator tool that wants access to your webcam. And regularly review the list of Chrome extensions you have installed by going to “Window” and then “Extensions,” so you can catch anything you don’t want and use that has snuck in. Quote Part of the problem: Chrome is already a trusted application. When users give it permission to run certain code, like an extension, their operating system and most antivirus products usually give it a free pass. If you have given the privileges to your downloaded extension or software to write or read (for example your personnal files, your photos -> "do you allow this app to access internet, to your microphone, camera, files , photo gallery, etc...?) -> this is the threat! Your data is leaked and analyzed by third party Edited March 24, 2022 by GHARIB modified for better explanation Quote
Daddy Posted March 24, 2022 Posted March 24, 2022 2 hours ago, GHARIB said: If you have given the privileges to your downloaded software to write or read (for example your personnal files, your photos -> "do you allow this app to access internet, to your microphone, camera, files , photo gallery, etc...?) -> this is the threat! Your data is leaked and analyzed by third party Very interesting your observation Gharib And imagine it in our cellphone? all appls that is donwloaded to our phone ask about the privilegy to take photos, cam, gallery, text, local position etc etc ... and if us not give the autorization, the appl not works. So we are not alone in the universe ... there are always someone check our information 1 Quote
GHARIB Posted March 24, 2022 Author Posted March 24, 2022 17 minutes ago, Daddy said: And imagine it in our cellphone? This is the case! 😖 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.