Google Removes More Than 70 Malicious Chrome ExtensionsResearchers Find Extensions Could Steal Credentials and Security Tokens
Google has removed more than 70 malicious Chrome extensions after researchers with security firm Awake Security discovered the extensions could be used to steal users' credentials and security tokens.
During a three-month period, Awake Security researchers discovered 111 of these malicious Chrome extensions, including 79 that were available in the official Chrome Web Store. Gary Golomb, co-founder and lead researcher at Awake Security, estimates that these browser extensions could have been downloaded over 32 million times worldwide.
While many of these extensions were portrayed as providing such services as converting files or improving searches, the researchers found that they spied on users by taking screen shots or collecting credentials and other data stored in the browser or in cookies.
The researchers also found that these extensions had been downloaded to devices associated with organizations in many sectors, including financial services; oil and gas; media and entertainment; healthcare and pharmaceuticals; retail; high-tech; higher education; and government.
"The motive is still unclear - but it’s clear that this activity has the hallmarks of either a nation-state or criminal conspiracy," Golomb tells Information Security Media Group.
And while Awake Security worked with Google to help identity the malicious Chrome extensions that were listed in the official Chrome Web Store, Golomb says others are still listed for download on unofficial websites.
"We're pleased to see Google being more aggressive in recent months in identifying malicious behavior," Golomb says.
In addition to the more than 100 malicious Chrome extensions discovered as part of this campaign, the Awake Security researchers found more than 15,000 domains designed to hold the data that the extensions collected.
The researchers found that these domains were all registered through GalComm - an Israeli-based internet domain registrar firm. Awake Security researchers say they were unable to contact GalComm representatives.
GalComm did not immediately respond to ISMG's request for comment on Friday. Moshe Fogel, the firm's owner, told Reuters he was unaware of any malicious activities tied to his company.
"Galcomm is not involved and not in complicity with any malicious activity whatsoever," Fogel told Reuters. “We cooperate with law enforcement and security bodies to prevent as much as we can."
Awake Security researchers determined, however, that the GalComm domains came with advanced security processes that could enable a threat actor to bypass "multiple layers of security controls" to help them surreptitiously carry out their activities.
"Our hope is that by releasing this research and highlighting the threat and what is driving it, this campaign will not be able to continue to function," Golomb says. "Our concern, however, is the continued subversion of the domain registration process and the impact that has on trying to identifying and stop attacks of this nature."
Various Malicious Extensions
The Awake Security report notes that the Chrome extensions that ended up in the official Google store are designed differently than those that are still available through unofficial sites.
"For example, the non-store extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters and grab user keystrokes, like passwords," Golomb says. "The in-store extensions were more passive and flew under the radar by only collecting what was least blatantly bad, but as we saw from the data being sent out from endpoints, this information contained tokens, credential information and other critical data points that could be used to further additional attacks."
Google has had other issues with troublesome Chrome extensions.
In February, for example, the company removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data (see: Google Removes 500 Chrome Extensions Tied to Malvertising).
In October 2019, Google updated its security and privacy requirements for developers who want to post new extensions in the company's official online store.
Managing Editor Scott Ferguson contributed to this report.