If you are a Google Chrome user and often install some extensions without knowing fully how they work it is time for you to remain cautious as security experts warn as many as 89 such extensions they found were malicious.
Although Google has removed these extensions from Chrome Web Store after Trend Micro detected the issue and disabled the extensions which were running on more than 400,000 systems, it is essential for every one to know how to deal with such extension if you spot one.
According to Japanese cyber security and defense company Trend Micro the malicious and dangerous extensions in question on the official Chrome Web Store appeared perfectly innocent but had the ability to clone everything you do when you visit a website.
Joseph Chen, the fraud analyst at Trend Micro says the extensions had the secrete ability to record and replay every mouse click, scroll and keystroke you perform, the eWEEK reported.
“These scripts are injected into every website the user visits” he was quoted as saying.
“Malicious botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used” Chen wrote in a blog post.
Droidclub also abuses legitimate session replay libraries to violate the user’s privacy. These scripts are injected into every website the user visits.
These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things.
Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild, Chen stated.
The attacker gets the user to install these malicious Chrome extensions via a mix of malvertising and social engineering. Chen wrote they found a total of 89 Droidclub extensions.
How to mitigate the threat
According to Chen, users can mitigate the threat by the use of web blocking services or script blockers that block malicious sites from displaying.
You may like to read
Similarly system administrators may also opt to set Chrome policies that will bar users from installing extensions on their systems.
User awareness training may help reduce the risks.
You can also report it to Google if you suspect any one suspicious or spot any unusual activities. Google encourages users to report it.
Researchers in recent weeks had also found four malicious Chrome extensions installed on over 500,000 systems.
In December Archive Poster, a popular Chrome extension, was spotted running Coinhive to mine cryptocurrency, the International Business Times reported.