We explain what can happen after installing browser extensions using the most common families of malicious extensions as an example.
We have probably all installed browser extensions at some point: an ad blocker, an online translator, a spell checker, or another type of extension.
However, few of us stop to think: Is it safe? Unfortunately, these seemingly harmless applets can be much more dangerous than they seem at first glance. Let’s see what can happen.
To do this, we’ll use data from a recent report by our experts on the most common families of malicious browser extensions.
What Are Browser Extensions, and What Do They Do?
Let’s start with the basic definition and identify the root of the problem. A browser extension is a plugin that adds functionality to your browser.
For example, functionality can be blocking ads on web pages, taking notes, checking spelling, etc. For the most popular browsers, the browser extensions store helps you select, compare, and install the plugins you need. But extensions can also be installed from unofficial sources.
It’s important to note that for an extension to work properly, it will need permission to read and change the content of the web pages you view in the browser. With this access, it probably will do good.
In the case of Google Chrome, extensions require the ability to read and change all your data on every website you visit. This is no small thing. However, even official stores need to pay more attention to it.
For example, in the official Chrome Web Store, the Privacy Practices section of the popular Google Translate extension states that it collects information about location, user activity, and website content. Still, the fact that it needs Access to all data for all websites to function is revealed to the user when the extension is installed.
Google Translate browser extension requests permission to “Read and change all your data on all websites” you visit.
Many, probably most, users will not even read this message and will automatically click Add Extension to start using it immediately. This allows cybercriminals to distribute adware and even malware by posing as harmless extensions.
As for adware browser extensions, the right to modify the displayed content allows you to display advertisements on the websites you visit.
In this case, the extension’s creators earn money from user clicks on tracked affiliate links that lead to advertisers’ websites.
They may also analyze your searches and other data to offer you more targeted advertising content on your profile.
Things are even worse when it comes to malicious extensions. Access to the content of all visited websites allows an attacker to steal bank card details, cookies, and other types of sensitive information. Let’s look at some examples:
Fake Browser Extensions for Office files:
Cybercriminals have been actively spreading malicious Web Search adware extensions in recent years. Members of this family are often disguised as Office files tools, such as converting Word files to PDF.
Most of them even perform the functions they promise. Still, then, after installation, they replaced the usual browser homepage with a microsite with a search bar and tracked affiliate links that lead to third-party websites, such as AliExpress. or Far fetch.
Browser home page after downloading one of the Web Search family extensions
Once installed, the extension also changes the default search engine to search my way. This allows cybercriminals to save and analyze users’ search queries and provide more relevant links based on their interests.
Web Search extensions are no longer available on the official Chrome store but can still be downloaded from third-party sites.
An adware extension that won’t leave you alone:
Members of DealPly, another common family of adware extensions, often infiltrate people’s computers by downloading pirated content from dubious websites. These work in the same way as Web Search extensions.
DealPly browser extensions also replace the browser’s home page with a microsite with affiliate links to popular digital platforms. Like the malicious Web Search extensions, replace the default search engine and analyze users’ search queries to create more personalized ads.
Browser home page after downloading one of the DealPly family browser extensions.
Also, members of the DealPly family are very difficult to get rid of. Even if the user removes the adware extension, it will be reinstalled on their device whenever the browser is opened.
AddScript hands out unwanted cookies:
Browser Extensions from the AddScript family often masquerade as useful tools for downloading music and videos from social networks or proxy server managers. However, in addition to these features, they infect the victim’s device with malicious code.
Attackers then use this code to watch videos in the background without the user noticing and earn revenue by increasing the number of views.
Another source of revenue for cybercriminals is downloading cookies onto the victim’s device.
Cookies are stored on the user’s device when they visit a website and can be used as a digital bookmark. In a normal situation, affiliate sites promise to direct customers to a legitimate site.
To do this, they attract users to their site, which, again, in a normal situation, is done through interesting or useful content.
They then store a cookie on the user’s computer and send it to the destination site with a link. With this cookie, the site knows where the new customer comes from and pays the partner an amount, sometimes for the redirection itself, other times it is a percentage for the purchases made, and sometimes.
AddScript operators employ a malicious extension to abuse this situation. Instead of sending actual website visitors to partners, they download various cookies on infected devices.
These cookies serve as bookmarks for the scammers’ partner program, and AddScript operators get paid.
They do not attract new customers, and their “partner” activity consists of infecting computers using these malicious extensions.
FB Stealer: A Cookie Thief
FB Stealer, another family of malicious extensions, works differently. Unlike AddScript, members of this family do not download “extras” to the device but instead steal essential cookies. Is that how it works:
The FB Stealer extension arrives on users’ devices together with the NullMixer Trojan, which victims often pick up when trying to download a pirated software installer.
Once installed, the Trojan modifies the file used to store Chrome browser settings, including information about extensions.
Then, after activation, FB Stealer masquerades as the Google Translate extension, so users let their guard down.
The extension looks official; the only drawback for attackers is that the browser warns that the official store contains no information about it.
A browser warning that the official store does not contain information about this extension.
Members of this family also replace the browser’s default search engine, but that’s not the worst thing about these extensions.
The main function of FB Stealer is to steal session cookies from users of the world’s largest social network: Facebook, from which its name comes.
These are the same cookies that allow you to bypass the login process each time you visit the page and allow attackers to enter without a password. In this way, by taking over one of the accounts, they can, for example, send messages to the victim’s friends and family asking for money.
How to stay safe
Browser extensions are useful tools, but it is important to exercise caution and be aware of the danger they can pose, as they are not as harmless as you might think. Therefore, we recommend you take the following security measures:
- Download Browser extensions only from official sources. Remember that this is not a fireproof guarantee of security: malicious browser extensions sometimes get into official stores as well, but these platforms usually care about user safety and eventually remove malicious extensions.
- Don’t install too many browser extensions and check the list regularly. If you see something you have not installed, it clearly indicates something is wrong.
- Use a reliable security solution.