Chrome Browser Extensions caught Spying on Users

July 1, 2020

Google has recently removed 106 extensions from the Chrome Web Store after it was discovered that they were illegally collecting sensitive user data as part of a “massive global surveillance campaign”. The main targets were oil and gas, finance, and healthcare sectors.

The findings were disclosed by Awake Security, and they said that the malicious browser add-ons were tied back to a single internet domain registrar, GalComm.

However, it’s not immediately clear who is behind the spyware effort.

According to Awake security, the extensions which were part of this campaign involved operations such as loading malware, taking screenshots of victim device, reading clipboard and also actively harvesting tokens and user inputs.

The extensions posed as utilities had capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them.

Furthermore, the actors behind the operation also implemented evasion techniques to avoid flagging the domains as malicious by anti-malware solutions, which thereby allowed the surveillance campaign to go undetected.

Google, in response to the disclosures, has deactivated the problematic browser extensions. The full list of offending extension IDs can be accessed here.

Telemetry data has revealed that some of these extensions were active on the networks of “financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education, and government organizations,” although there’s no evidence that they were actually used to collect sensitive data.

Recommendations:

It is recommended to consider the following best practices:

Users should review extension permissions by visiting “chrome://extensions” on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don’t require invasive access to browser activity.
The users must always keep their browsers up-to-date so as to have the latest patches and less probability of getting affected.
The users must never download any extensions from external sources.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Chrome Browser Extensions caught Spying on Users

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure