In the first half of 2022, over 24 000 South African users were affected by threats that hid in browser extensions, which is three times more than the number of users affected by the same threat throughout the whole of last year.
Aping popular apps, such as Google Translator or extensions with useful functionality such as PDF Converter or Video Downloader, threats in browser extensions can insert advertisements, collect data about users’ browsing histories and even search for login credentials, making them attractive tools for bad actors.
This is according to Kaspersky Lab, that since the beginning of 2020, has prevented approximately six million users globally from downloading threats disguised as browser extensions.
During the first half of 2022, the company’s researchers also recorded an increase in such threats in Kenya and Nigeria. In Kenya, 14 800 users encountered browser extension threats – a 59% increase when compared to 2021, and in Nigeria, 4 200 users were affected – seven times more than the number of users affected the year before.
Adware
The most notable threat that spreads by pretending to be a legitimate browser extension is adware, or unwanted software designed to bring ads up on the screen. These ads are usually targeted according to the user’s browsing history to pique their interest. Sometimes, they embed banners in Web pages or redirect users to affiliate pages that developers can earn money from, instead of legitimate search engine ads.
From January 2020 to June 2022, Kaspersky researchers observed that 38 900 unique users in SA, 29 000 in Kenya and 10 000 in Nigeria faced adware hiding in browser extensions (this is approximately 89%, 80% and 78% respectively of all users in these countries affected by browser extension threats).
Adware can track everything the user searches for and then promote these products with affiliate ads on search engine
Kaspersky says malicious and unwanted add-ons have also been distributed through official marketplaces. In 2020, Google removed 106 malicious browser extensions from its Chrome Web Store. Each of these was being used to siphon sensitive user data, such as cookies and passwords, and even take screenshots.
In total, these malicious extensions were downloaded 32 million times, putting the data of millions of users at risk.
Stealing Facebook
However, this is the exception rather than the rule, and the main way malicious add-ons are distributed is through third-party resources. One threat families analysed by Kaspersky researchers, dubbed FB Stealer, was spread solely through untrustworthy sites.
FB Stealer is one of the most dangerous threat families because, in addition to the traditional search engine replacement and affiliate pages redirection, FB Stealer is able to steal user credentials from Facebook.
When users attempted to download a cracked software installer from third-party resources, such as SolarWinds Broadband Engineers Keymaker, they actually received a dangerous NullMixer Trojan, which then self-installed FB Stealer on the device, which looked less suspicious to the user because it mimicked the harmless and standard-looking Chrome extension "Google Translate."
Once FB Stealer was launched, the NullMixer Trojan has the ability to extract Facebook session cookies - secrets stored in the browser holding identification data which allows users to stay logged in – and send them to the threat actors’ servers.
Using these cookies, they are able to quickly log into the victim's Facebook account, and once inside, can ask the victim's friends for money, trying to take as much as possible before the user regains access to their account.
Extensions or not?
Anton Ivanov, a senior security researcher at Kaspersky, says even browser extensions that do not carry a malicious payload can be a threat. For example, when developers of these add-ons sell user data to other companies, they can potentially expose this data to someone who was not supposed to see it.
“Users may wonder whether it is worth downloading browser extensions at all when they can carry so many threats. I am an active user of browser extensions myself and believe that add-ons improve the online experience. Some extensions can even make devices a lot safer, for example, password managers,” he adds.
According to Ivanov, it is far more critical to keep an eye on how reputable and trustworthy the developer is and what permissions the extension asks for.
“If you follow the recommendations for safe use of browser extensions, the risks of encountering any threats will be minimal,” he ends.
Share