A newly discovered spyware campaign targeted users through 32 million downloads of extensions from Google’s leading Chrome browser. Researchers at Awake Security revealed this to Reuters, exposing the tech industry’s failure to protect browsers now used for email, payroll, and other sensitive tasks.
Google’s parent company, Alphabet Inc., removed over 70 malicious add-ons from the Chrome Web Store last month after the researchers alerted them.
“When we find extensions in the Web Store that violate our policies, we remove them,” said Google spokesman Scott Westover. “We also use these incidents to improve our automated and manual detection systems.”
Many of the free extensions claimed to warn users about suspicious websites or convert files. In reality, they stole browsing history and login data for internal business tools. Awake co-founder and chief scientist Gary Golomb called it the largest malicious Chrome Store campaign ever, based on downloads.
Google did not disclose how this attack compared to previous ones, the extent of the damage, or why it failed to detect the extensions despite earlier promises to monitor submissions more closely.
The developers provided fake contact details when submitting the extensions, leaving their identities unknown. Former NSA engineer Ben Johnson, founder of Carbon Black and Obsidian Security, said attackers target browsers and email because they open doors to sensitive data for both cybercriminals and state espionage.
The extensions bypassed antivirus checks and reputation-based security tools by hiding across thousands of malicious domains, Golomb explained. Home users unknowingly connected to these domains, sending out information. Those on corporate networks with tighter security didn’t transmit sensitive data.
“This attack shows how simple methods can hide thousands of malicious domains,” Golomb said.
After publication, Awake released its research with a list of the domains and extensions. All 15,000+ linked domains came from Galcomm, a small registrar in Israel. Awake claimed Galcomm should have detected the activity.
Galcomm owner Moshe Fogel denied wrongdoing. “Galcomm is not involved in any malicious activity,” he told Reuters. “We work with law enforcement to stop abuse.” He added that many of the listed domains were inactive and promised to investigate the rest.
ICANN, the global registrar authority, reported few complaints about Galcomm and none related to malware.
Malicious Chrome extensions have been a long-term issue. They once served annoying ads, but now install spyware and track users for commercial or government purposes. Google promised better oversight in 2018 when one in ten submissions was flagged as malicious.
Still, in February, independent researcher Jamila Kaya and Cisco’s Duo Security exposed another Chrome campaign that stole data from 1.7 million users. Google later found 500 fraudulent extensions in that case.
“We do regular sweeps to find extensions using similar techniques, code, and behaviors,” Google’s Westover said, in identical language to what Google gave out after Duo’s report.
Article courtesy: www.itnews.com.au
Also Read:
