Researchers find malicious extensions in Chrome Web Store

Earlier this year, Google has made it so that extension that are not hosted on the Chrome Web Store can’t be installed and used by users of its popular browser.

This move was meant to protect users, and its efficiency is based on the premise that no overtly or potentially malicious extensions will manage to get accepted and find their way to Google’s store.

Alas, the method is not foolproof.

Trend Micro researchers have recently analyzed a Facebook scam that invited users to see a video of some drunk girls. Those who clicked on the link were instructed to download a specific Chrome extension from the Chrome Web Store in order to see it.

Once the extension was downloaded, the victims were actually redirected to the YouTube video in question. But unbeknownst to them, the extension they have installed allowed scammers to post statuses, comments, and send messages on Facebook on their behalf.

“Our investigation reveals that the author behind this particular extension hired a virtual private server (VPS) in Russia, where he registered several domains,” the researcher pointed out. Among these domains was one C&C one where he or she collects stolen data from infected users and one that was used to register the extension at the Chrome Store.

“He has at least one more VPS that hosts about 30 different domains selling weight loss products, English language tutoring services, and work-from-home offers,” they shared. “He uses among.us as an online counter for his number of victims and Dropbox for hosting fraudulent pages.”

This particular extension has since been removed from the store but, unfortunately, this crook is not the only one who managed to get one inside it. The researchers have found several, and say that there are easy to spot if you know what to look for.

“At first glance, these extensions immediately appear suspicious. They are recently published, have no description for their supposed function, or have duplicate names. Some of them even have the same ‘author’ as the malicious ones,” they noted, adding that additional analysis shows that they contain obfuscated JavaScript code.

Users are advised to always carefully review the information that goes with each extension they want to install, and not to do it if it looks fishy.




Share this