Thursday , 21 June 2018
Home >> G >> Google >> Google Chrome: Beware these malicious extensions that record everything you do

Google Chrome: Beware these malicious extensions that record everything you do

trenddroidclub.png

The attackers used a blend of malicious ads and social engineering to trick victims into installing the extensions.


Image: Trend Micro

techrepublic


NFL's new secret weapon for training world-class athletes: Smart beds


NFL’s new secret weapon for training world-class athletes: Smart beds

The National Football League is teaming up with Sleep Number to help its players use big data and machine learning to improve their sleep and boost performance.

Read More

Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.

Researchers at Trend Micro dubbed the family of malicious extensions Droidclub and discovered they included a software library with so-called “session-replay scripts” used by online analytics firms.

Princeton’s Center for Information Technology in November drew attention to the increasing use of session-replay scripts by third-party analytics firms on high-traffic websites.

The study looked at replay services from Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam, which were found on nearly 500 popular sites.

The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your “keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit”.

But instead of allowing a site owner to record and play back what users do on one site, Droidclub extensions allow the attacker to see what victims do on every single site they visit.

“These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things,” said Trend Micro fraud analyst Joseph Chen.

“Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild.”

The 98 malicious extensions are an odd collection of home cooking and home decoration themed tools, which victims most likely didn’t go to the Chrome Web Store and search for.


Get more done with free privacy and productivity extensions for Google Chrome


Blur


Taco


AutoMute


OneTab























































































































Rather, the attackers used a blend of malicious ads and social engineering to trick victims into installing the extensions. A malicious ad posing as an error message prompted the victim to install an extension from the Chrome Web Store to view blocked content.

Chen says the extensions employ a session-replay script available in a JavaScript library from Yandex Metrica.

The extension, combined with the library, allows the attacker to steal data entered into forms, including names, credit card numbers, CVV numbers, email addresses, and phone numbers. Passwords are not stolen, according to Chen.

Google said in a statement to Trend Micro that it had disabled the extensions on devices of all affected Chrome users.

Read: Shore up your defenses: Budget extra for an IT audit in 2018

And although Google encourages users to report malicious extensions, Droidclub extensions have been designed to thwart that process too.

If users try to report an extension via the Chrome Web Store, they end up being redirected to the introduction page of the affected extension. Attempts to remove the extension also lead the user to a fake page that tells them the extension has been removed when it has not.

Last month Google also removed four malicious extensions from the Chrome Web Store that had been installed by 500,000 Chrome users.

Previous and related coverage

Google Chrome under attack: Have you used one of these hijacked extensions?

Recent versions of several Chrome extensions have been compromised to spread malicious ads.

Google Chrome can now spot even brand new phishing pages

Google has rolled out two new tools to combat phishing, and upped Gmail security.

Chrome going after shady site redirect tactics

A trio of redirect tactics used predominately in the dodgier parts of the internet have been targeted by Google for extinction.

Chrome will whack website bait-and-switch tactics (CNET)

Starting in 2018, Google’s browser will stop website elements that try to send you to a page you didn’t expect or want.

10 tips to help you get the most out of Google Chrome (TechRepublic)

Google Chrome is the most popular US web browser, and has made large gains in the enterprise in recent years. Here are 10 tips for increasing your productivity with the browser.

close
==[ Click Here 1X ] [ Close ]==