Adds-ons for Popular Social Media Platforms Being Used to Spread Malware
Researchers have identified 28 popular extensions for Google’s Chrome and Microsoft’s Edge web browsers that may contain malware and are recommending that users uninstall them immediately. It’s believed that more than 3 million people have already downloaded the malware-laced extensions.
A researcher at CZ.NIC discovered the malware in question after observing what he called “non-standard” behavior on his computer. After some investigation, he discovered malicious scripts coming from certain browser extensions. He then found that malware entered his system through localStorage, the general data repository that browsers make available to sites and add-ons. Researchers then found that infected JavaScript-based extensions contain malicious code that open the door to downloading even more malware to a person’s computer and manipulate all links that the victims click on after downloading the extensions.
Clicking on the links also causes the extensions to send info to the attacker’s control server and thus creating a log of all of someone’s clicks. That log is then sent to third-party websites and can be used to collect a user’s personal information, including birth date, email addresses, device information, first sign-in time, last login time, name of his or her device, operating system, browser used and version, and IP address.
Researchers believe that either the extensions were created deliberately with built-in malware, or the threat actor waited for the extensions to become popular and then pushed out a malicious update. It’s also believed that the domains used in this campaign are likely not owned by the cybercriminals, rather, the domain owners probably pay the cybercriminals for every redirection to the domain.
Extensions for the browsers that potentially could pose a security threat include Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock, as well as others in use for the two popular browsers. It’s important to note that the infected extensions are still available for download and we recommend that users disable and uninstall them and scan for malware before continuing to use them.