Google Removes over 100 Malicious Chrome Extensions
Google removed 106 Chrome browser extensions from its Chrome Web Store because of a report that they were being used to harvest sensitive user data. The research, done by Awake Security, alleges that millions of Chrome users have been targeted by hackers. The hackers used the Google Chrome browser extensions to not only steal data, but also to create persistent footholds on corporate networks. Trojan Chrome browser extensions have been spying on users.
The browser extensions were free and designed to either alert users to questionable websites or to convert files. In total, the extensions were downloaded 32 million times. Google has long policed its Chrome Web Store for rogue browser extensions. what is unique about is that it is part of a coordinated spying campaign that was aided by the internet domain registrar CommuniGal Communication Ltd. Galcomm owner Moshe Fogel told Reuters that his company was unaware of the malicious activity and had done nothing wrong.
GResearchers allege that FalComm enabled malicious activity by those behind the browser extensions by allowing them to cloak their activities. The domain registrar allowed criminals to bypass multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity. In the past three months alone, researchers found 111 fake Chrome extensions using GalComm domains for hacker command and control infrastructure and as loader pages for the extensions. These extensions could take screenshots, read the clipboard, steal credential tokens stored in cookies and steal keystrokes.
Gary Golomb, chief scientist of Awake Security, wrote in a technical breakdown of the threat that Of the 26,079 reachable domains registered through GalComm, 15,160 domains are suspicious. Through a variety of evasion techniques, these domains have avoided being tagged as malicious by most security solutions and have thus allowed this campaign to go unnoticed. Gary Columb stated that "passively targeting these applications with malicious browser extensions is akin to the new attacker rootkit,”
In February, Duo Security uncovered a similar campaign. It found that 500 Google Chrome browser extensions were found secretly uploading private browsing data to hacker controlled servers, and redirecting victims to malware ladened websites. The browser extensions were downloaded millions of times from Google's Chrome Web Store.