Google Chrome users were targeted by spyware on chrome extensions that could steal login information and browsing history. Google removed 106 malicious extensions from their Chrome Store which were downloaded over approximately 33 million times, according to ZeroDay. They were made aware of the extensions and malicious domains by cyber security watchdogs Awake Security’s latest report. Awake says the extensions were mainly disguised as tools to improve web searches, convert files between different formats, and act as security scanners for other data scraping domains. Instead, these extensions were coded to bypass Google’s Chrome Web Store security and would swipe the users’ browsing history and data by screenshotting, taking cookies, or keystrokes that provided the credentials for access to private information.
According to Reuters, the extensions specifically stole browsing history and data that provided credentials for access to internal business tools. More and more companies are beginning to use web browsers for email, payroll, and other tools to send sensitive information, especially while a majority of people work from home. Not only did their techniques make their extensions bypass the Web Store security, but the researchers found that it was also coded to bypass antivirus companies or security software that evaluates the reputations of web domains.
If someone used the software to navigate the web on a home computer, the researchers found it would connect to a set of websites and relay that information. Anyone who uses a corporate network that would include security services would not transmit sensitive information or even reach the websites’ malicious versions. The fact that the extensions flood home computers, but not corporate computers attached to massive corporate systems shows the clear attempt to not attract too much attention. The code of these domains gives them the ability to hide and camouflage the extensions from being identified as dangerous.
Even though it seems people at home would be the ones targeted, Awake says that some of these extensions have been found on the networks of “financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations.” These extensions can be acting as backdoors into private networks and tools to spy on people and companies, although ZeroDay reports there has been no evidence of such yet.
Based on the number of downloads, it was the most far-reaching malicious Chrome Store campaign to date, according to Awake co-founder and chief scientist Gary Golomb. Google has turned off the Chrome extensions in the browser for each user. The extensions are still enabled, but are disabled in the extension section of the Chrome window, and marked as “malware.” Make sure to check your browser’s extension page to see if you have anything marked as malware.