Over 500 Chrome extensions have secretly siphoned the browsing data of millions of users for almost two years. They were discovered by Google and researchers from the company Duo Security. The majority of these extensions belonged to a fraudulent network that made money through invasive advertising campaigns or redirected users to malware or phishing sites.
Researcher Jamila Kaya from Duo Security discovered part of the extensions during a routine scan. She noted that they were injecting malicious code that redirected users to sites with a common URL pattern. But in some cases, these were legitimate sites like Amazon, BestBuy, or even Macys to which Internet users were affiliated.
Still other sites contained malware or had been set up for phishing campaigns. 71 extensions with nearly 2 million users were identified by the researcher. Alerted, Google conducted its own investigations which led to the discovery of 430 additional extensions. They have since been deleted from the Chrome store.
These extensions secretly recorded navigation data
Command and control lines excreted private navigation data without users' knowledge , with the aim of displaying personalized advertising flows while escaping Chrome Web Store fraud detection mechanisms , explain the researchers in their report.
They note that the campaign had been running since at least January 2019 and developed rapidly from March June. Operators may have been active for a much longer period, possibly as early as 2017.
This is not the first time that this kind of network has been discovered. Google regularly cleans up the Chrome Web Store following the discovery of malicious extensions. This is a reminder for users who need to be careful when installing new extensions. A fairly effective precaution is to pay attention to votes and comments.
As researcher Jamila Kaya explains, most of the extensions identified in the case had almost no votes or comments. Often, these malicious extensions on Chrome are fraudulently installed without the users' knowledge, so it's important to regularly browse your list and delete the ones you don't know or don't use.
Source: Duo Security