Kaspersky researchers have analyzed what risks innocent-looking browser extensions pose to users and the activities of cybercriminals hiding threats under add-ons. In the first half of 2022, more than 1.3 million users were affected by threats, hiding in browser extensions, at least once, which is over 70% of the number of users affected by the same threat throughout the whole of 2021 – with still another half of the year to go. Mimicking popular apps, such as Google Translator or extensions with useful functionality like PDF Converter or Video Downloader, threats in browser extensions can insert advertisements, collect data about users’ browsing histories and even search for login credentials, making it one of the most desirable tools for cybercriminals.
Since the beginning of 2020, Kaspersky products have prevented approximately 6 million users from downloading threats disguised as browser extensions. During the first half of 2022, Kaspersky researchers observed a rise in the number of affected users – with 1.3 million users encountering threats in add-ons over this period, more than 70% of the number of users affected by the same threat throughout the entire previous year. The most prominent threat spread under the guise of browser extensions has been adware – unwanted software designed to throw advertisements up on the screen. Such advertisements are usually based on the browsing history to catch users’ interest, embed banners in web pages or to redirect them to affiliate pages that the developers can earn money from, instead of legitimate search engine ads. From January 2020 to June 2022, Kaspersky experts observed more than 4.3 million unique users faced adware hiding in browser extensions, which means approximately 70% of all affected users have encountered this threat.
Adware can track everything the usersearches for and then promote these products with affiliate ads on searchengine
Malicious and unwanted add-ons have also beenfound to be distributed through official marketplaces. In 2020, Google removed106 malicious browser extensions from its Chrome Web Store. All of them werebeing used to siphon sensitive user data, such as cookies and passwords, and eventake screenshots. In total, these malicious extensions were downloaded 32million times, puttingthe data of millions of users at risk.
However,this does not happen often, the main way malicious add-ons are distributed is throughthird-party resources. One of the threat families analyzed by Kasperskyresearchers in the report, dubbed FB Stealer, was spread solely throughuntrustworthy sites. FB Stealeris one of themost dangerous threat families because, in addition to the traditional searchengine replacement and affiliate pages redirection, FB Stealer is able to stealuser credentials from Facebook.
Whenusers tried to download a cracked software installer from third-partyresources, such as SolarWindsBroadband Engineers Keymaker, theyactually received a dangerous NullMixer Trojan. Then NullMixer self-installedFB Stealer on the device, which looked less suspicious to the user because itmimicked the harmless and standard-looking Chrome extension "GoogleTranslate."
NullMixer Trojan is spread throughdifferent hacked software installers, for example, SolarWinds broadbandengineers keymaker
After launching FB Stealer, NullMixer Trojan could extract Facebooksession cookies - secrets stored in the browser holding identification data whichallows users to stay logged in - and send them to the attackers’ servers. Usingthese cookies, they are able to quickly log into the victim's Facebook account.Once in the account, attackers ask the victim's friends for money, trying to takeas much as possible before the user regains access to the account. In the end, afterdownloading a hacked installer from an unknown resource, users receive a threatthey did not expect and many of their friends lose their money.
“Even browser extensions that do not carry a malicious payload can bedangerous. For example, when the developers of these add-ons sell gathered userdata to other companies, potentially exposing their data to someone who was notsupposed to see it. Users may wonderwhether it is worth downloading browser extensions at all when they can carryso many threats. I am an active user of browser extensions myself and believe that add-ons improve the online experience. Someextensions can even make devices a lot safer, for example, password managers. Itis much more important to keep an eye on how reputable and trustworthy thedeveloper is and what permissions the extension asks for. If you follow therecommendations for safe use of browser extensions, the risks of encountering anythreats will be minimal,” comments Anton V. Ivanov, senior security researcher.
Tolearn more about the danger the innocent-looking browser extensions hold forusers, read the full report on Securelist.
To protect yourself from threats, hiding in browserextensions, Kaspersky recommends the following:·
Only use trusted sources to downloadsoftware. Malware and unwanted applications are often distributed throughthird-party resources where no one will check their security in the same way asofficial web stores do. These applications may install malicious or unwantedbrowser extensions without the user knowing about it and can perform othermalicious activities.
Extensions add extra functionality tobrowsers and require access to various resources and permissions — carefullyexamine add-on requests before agreeing to them.
Limit the number of extensions you’reusing at one time and periodically review your installed extensions. Uninstallextensions that you no longer use or that you do not recognize.
Use a robust security solution. Privatebrowsing, like in Kaspersky Internet Security, can help you avoid internet tracking andprotect you from threats.
About Kaspersky
Kasperskyis a global cybersecurity and digital privacy company founded in 1997.Kaspersky’s deep threat intelligence and security expertise is constantlytransforming into innovative security solutions and services to protectbusinesses, critical infrastructure, governments and consumers around theglobe. The company’s comprehensive security portfolio includes leading endpointprotection and a number of specialized security solutions and services to fightsophisticated and evolving digital threats. Over 400 million users are protectedby Kaspersky technologies and we help 240,000 corporate clients protect whatmatters most to them. Learn more atwww.kaspersky.com.