Chrome extensions provide a richer experience for their users, but a cottage industry of malicious Chrome extensions has emerged. Shimrit Tzur-David of Secret Double Octopus takes up the tale.

These malicious Chrome extensions perform man-in-the-browser attacks, a specialised breed of man-in-the-middle attack that manipulates browser content to steal sensitive user information or lure victims into malware-infected websites.

How much of the day do individuals throughout your organisation spend staring at their browsers? A lot, probably. At almost every company, employees use browsers to perform various tasks, whether it’s reading news, using web applications such as CRM portals, writing reports, processing spreadsheets, banking and more.

The browser wields a lot of power because of the sheer number of tasks it performs. And like any application that becomes too popular, browsers attract cybercriminals and hackers. Google Chrome, which accounts for the lion’s share of the browser market, is their biggest target.

The dangers of Chrome extensions

Application developers can create Chrome extensions to provide a richer experience for their users. Chrome extensions can perform a variety of tasks, from showing the Alexa ranking of websites to blocking ads to processing cryptocurrency payments on-site, and much more.

However, to perform these tasks, extensions require permission to access various data, such as the content of visited pages, bookmarks, browser history, clipboards, list of installed apps and even a user’s geographical location. Some extensions might request access to a microphone or webcam, and others might require permission to modify web page content.

Chrome extensions are complex applications in their own right. And complex apps can easily hide malicious behaviour. Chrome has a Web Store where developers can publish extensions and users can install them on their browsers. This is the equivalent of Google’s App Store for Android devices. And while Google does its best to keep its marketplace free of malware, cybercriminals are finding new ways to publish and distribute their malicious Chrome extensions and conduct man-in-the-browser attacks.

How do man-in-the-browser attacks work?

Upon installing a browser extension, it declares the kind of permissions it requires. In their haste to install the extension, users usually approve the installation without first reviewing the permission requests.

Malicious actors disguise their malware under the guise of extensions that perform useful tasks. Once the user installs the extension, hackers can perform various harmful tasks without the user’s knowledge. What makes malicious extensions especially dangerous is that once installed, users allow them the freedom to do anything they want, including sending the user’s data to clandestine servers without being flagged as malicious activity.

After a man-in-the-browser attack is staged, there’s a lot of evil things malicious extensions can do. Last year, Google removed three extensions that impersonated AdBlock Plus, a famous tool that removes ads from websites. One of the imposter extensions had amassed more than 40,000 downloads.

The hacker news

Around the same time, researchers at Morphus Labs discovered an extension that posed as an Adobe Acrobat reader plugin and collected user data, including username and passwords. Zscaler, discovered a Chrome extension that stole credentials, cookies and financial data from the websites users signed into.

More recently, researchers at Malwarebytes discovered an extension that not only performed malicious activity, but also hid its tracks by manipulating the extension’s list page on the victim’s browser and removing its name. In June, Kaspersky Labs reported a malicious extension that redirected users to pages that phished their credentials to banking websites and other applications.

Inline installs

Previously, Google provided inline installs, a feature that enabled developers to initiate extension installs directly from their website instead of redirecting users to the Chrome Web Store. The feature was meant to reduce friction within the user experience. However, inline installs also provided a smoother experience to bad actors who wanted to stage man-in-the-browser attacks and trick victims into installing malicious extensions when their guards were down.

In one case, researchers found a fake YouTube page that brought up an inline pop-up and prompted users to install a Chrome extension before playing the video. Once the users confirmed, their computers became part of a botnet, a network of infected computers that hackers use for different types of attacks such as Distributed Denial of Service (DDoS). The same scheme is used in other websites that warn users of an infection in their computer and urge them to install an extension that supposedly protects them, but instead steals their sensitive information.

Earlier this year, Google disabled inline installs to prevent malicious extensions from finding their way into users’ browsers. This means that before any installation, users must first go to the Chrome Web Store, where they can see the full page of extension information, including its reviews, history, number of installs and developers.

However, hackers have not been sitting on their hands, and they’ve found ways to work around this new limitation. In one such case, reported by Bleeping Computer, hackers used iframes to open up the Web Store in-page, but partially show it so that the user could only see the name and icon of the malicious extension plus the download button.

How to protect yourself and your organisation from malicious Chrome extensions

Like all application marketplaces, rooting out malicious extensions from the Chrome Web Store is an ongoing cat-and-mouse game between Google and bad actors. Therefore, while the company does a pretty good job at finding and removing malicious extensions, nothing is for sure.

As such, certain precautions should be taken to avoid falling victim to man-in-the-browser attacks through malicious Chrome extensions:

● Only install extensions from reputable sources. While this is not a guarantee, it does reduce the risk of installing malicious extensions. Reputable sources are companies that have a track record of delivering reliable products. The number of downloads and the reviews of an extension should also tell you something about the developer’s reputation, but again, there have been cases where malicious extensions have managed to amass tens of thousands of downloads.

● Only install extensions if they are absolutely needed. The surest way to avoid man-in-the-browser attacks is to avoid installing Chrome extensions altogether. While this might not be possible for many tasks, it does help to take a moment of consideration before rushing to install the next extension you see. Ask yourself and others in your organization, is it really needed? If the extension won’t be used frequently, an alternative is to perform those tasks directly from the website, even if it requires a few extra steps.

● Uninstall extensions when they’re no longer needed. Review the organization’s list of browser extensions periodically. If there’s an extension not being used frequently, remove it. Also remove any extension that’s not recognized. Extensions can always be reinstalled at a later time if the need arises.

● Separate user profiles. With Google Chrome (and most popular browsers), several user profiles can be maintained at once, each of which can have different extensions installed. Try to separate sensitive tasks such as banking, healthcare, personal email, etc within a profile that has no extensions installed. This way, in case a malicious extension is accidentally installed while browsing on a personal profile, the amount of damage it can cause is reduced.

Minimise credentials and use additional authentication factors to reduce the risk of man-in-the-browser attacks

Most cybercriminals are after usernames and passwords to hijack sensitive accounts. Therefore, a very large number of malicious Chrome extensions are aimed at stealing these credentials. As an organization, the risk your employees and users face can be minimized by investing in passwordless authentication technologies. With passwordless authentication, the need for memorizing, and typing and sending secrets between users’ devices and servers, is eliminated. Instead, authentication is performed out-of-band, through secure channels that aren’t vulnerable to man-in-the-browser and other MitM attacks.

Hackers won’t be able to redirect users to phishing websites to trick them into revealing their passwords. They won’t be able to read the passwords they type into a webpage’s forms. This means that even if hackers manage to infect your employees and users, they won’t be able to hijack their accounts.

Leave a Reply