Browser extensions enhance our online experience, adding functionalities and features to our favorite browsers. However, amidst the vast array of extensions, there exists a potential threat: malicious browser extensions.
The latest report from ReasonLabs, The Cashback Extension Killer, discusses a set of malicious web extensions disguised as fake VPNs, delivered by a Trojan installer, and distributed through torrent files. They were then live on the Chrome Web Store for months, ultimately affecting over 2 million users! Google removed the active threats from the Chrome Web Store shortly after ReasonLabs researchers disclosed them.
Before we dive into the report’s findings, let’s define what an extension is, how you can recognize a malicious extension, and crucially, how to prevent these digital intruders from compromising your online security.
Understanding browser extensions
Browser extensions, also known as add-ons or plugins, are small software modules that extend the functionality of web browsers. They are designed to customize and improve your browsing experience by adding features, altering the appearance of websites, or enhancing productivity.
Users typically download browser extensions from official extension stores associated with their respective browsers. The following are the primary sources for downloading extensions for popular browsers:
- Google Chrome: Chrome Web Store: This is the official extension store for Google Chrome. Users can find a wide range of extensions, apps, and themes vetted by Google for Chrome users.
- Mozilla Firefox: Mozilla Add-Ons: The official add-ons website for Mozilla Firefox. Users can discover and install a variety of extensions, themes, and plugins verified by Mozilla.
- Microsoft Edge: Microsoft Edge Add-Ons: The official extension store for Microsoft Edge. Users can explore and install extensions specifically designed for the Edge browser.
- Apple Safari: Safari Extensions Gallery: Safari extensions can be found in the Safari Extensions Gallery. Users can explore and install extensions directly from within the Safari browser.
- Opera: Opera Add-Ons: The official extension store for the Opera browser. Users can find and install a variety of extensions and themes tailored for Opera.
It's important for users to be cautious and only download extensions from official stores. These stores have security measures in place to verify the authenticity and safety of extensions, reducing the risk of downloading malicious software. Avoid downloading extensions from third-party websites or untrusted sources to minimize security risks to your browser and device.
The ReasonLabs Report: Fake VPNs and malicious extensions
Key findings from the report showed that numerous malicious web extensions were being delivered to users through a Trojan installer. The malicious installers installed one of at least three malicious web extensions for Google Chrome or Edge, claiming to be Virtual Private Networks (VPNs), which were active on the Chrome Web Store, ultimately being taken down after being notified by ReasonLabs.
The extensions were installed onto users’ browsers without their knowledge. They were mostly distributed through game torrents - instead of the installer delivering the games, they delivered malware instead. It’s supposed that the goal of the malicious extension code was financially-oriented, dealing with cashback and coupon activity and resulting in financial fraud.
What is a Trojan installer and how can it install a malicious extension?
A Trojan installer is a type of malware that disguises itself as a legitimate program or file but, once executed, delivers and installs malicious software onto a user's system without their knowledge or consent. Trojans are named after the ancient Greek story of the wooden horse used to infiltrate Troy, symbolizing how they deceive users by appearing harmless.
In the context of browser security, a Trojan installer can be used to install a malicious browser extension by exploiting vulnerabilities or tricking users into unknowingly granting permissions. This process is discussed in technical detail in the latest ReasonLabs report - but here is a general overview:
- Deceptive download: Users unknowingly download a seemingly harmless file, often disguised as a legitimate software update, cracked software, or a free utility. The Trojan installer is bundled with this seemingly innocuous file.
- Social engineering: The Trojan may employ social engineering tactics to convince users to execute the downloaded file. This could involve deceptive messages, fake software updates, or enticing offers.
- Exploiting vulnerabilities: Trojans often exploit vulnerabilities in the user's operating system or software to execute malicious code without detection. This can happen through unpatched security flaws.
- Silent installation: Once executed, the Trojan installer works silently in the background, avoiding detection by security software. It proceeds to install the malicious extension without the user's knowledge.
- Browser exploitation: The Trojan installer might leverage vulnerabilities in the browser itself to manipulate or bypass security mechanisms. This allows it to install the malicious extension without triggering alerts.
- Unauthorized permissions: In some cases, Trojans exploit the user's trust in the system to gain unauthorized permissions. This might involve manipulating the user into approving the installation of the extension or modifying browser settings.
- Remote control: The installed extension can establish a connection with a remote server controlled by the attacker. This enables the attacker to remotely control the compromised browser and execute further malicious actions.
Recognizing a malicious extension
Learning to recognize a malicious extension can help prevent damage from being done to your device. We’ve rounded up some top points that you need to be aware of:
- Unverified sources: Stick to official extension stores, as listed above. Avoid downloading extensions from unverified websites, as these can host malicious versions.
- Excessive permissions: Legitimate extensions only request permissions necessary for their functionality. If an extension asks for excessive permissions unrelated to its purpose, it could be malicious.
- User feedback: Check user reviews and ratings in the extension store. If an extension has low ratings or numerous negative reviews citing security concerns, reconsider installing it.
- Spike in popularity: Malicious extensions might suddenly gain popularity due to deceptive marketing practices. Be cautious if an extension experiences an unexplained surge in downloads.
- Behavioral changes: If an extension alters your browser's behavior unexpectedly, such as redirecting your searches or injecting ads where it shouldn't, it may be malicious.
How to prevent malicious and illegal extensions
As mentioned above, you should only download extensions from trusted sources and official stores - but there are some other steps you can take to prevent falling victim to illegal extensions:
- Understand permissions: Before installing an extension, carefully read and understand the permissions it requests. If they seem excessive or unrelated to their function, think twice.
- Regularly review installed extensions: Periodically review the extensions you've installed. If you no longer use one or are uncertain about its origin, remove it to minimize potential security risks.
- Security updates: Stay informed about security updates and issues related to browser extensions. Browser developers often release updates to address vulnerabilities.
- Install cybersecurity software: Employ reliable security software that includes browser protection. The Online Security extension from ReasonLabs provides tools that can help identify and block malicious extensions before they compromise your system.
- Awareness is key: Be aware of common tactics used by malicious extensions. Educate yourself on how to recognize potential threats to bolster your online security.
Browser extensions can be powerful tools, but vigilance is paramount. By understanding what constitutes a malicious extension and following preventive measures, you can navigate the web safely. Additionally, using a next-generation antivirus solution like RAV Endpoint Protection can protect you from threats like Trojan installers and more. For more information on current global cybersecurity threats, the Online Security browser extension, RAV VPN and other cybersecurity products from ReasonLabs, visit reasonlabs.com.