Have you installed any browser extensions, such as auto-blocking ads, translating/spell checking, etc.? Its functions are wide-ranging. However, extensions can pose serious security risks and can be very dangerous if not checked for safety. What threats have we seen so far? Based on data on malicious browser extensions from our experts‘ latest report.
Definition of extensions and their role
An extension is a plug-in that adds functionality to your browser. There are many different types, such as blocking certain web pages, adding notes, or checking to spell. There is also an official extensions portal where you can choose, compare and install the plugins you need from popular web browsers such as Google Chrome and Safari. On the other hand, some extensions are distributed in other unofficial places.
Importantly, in order for extensions to work, they need permission to read and modify the content of the web pages you view in your browser. Without this access, the extension would be completely useless.
For Google Chrome, extensions can read and change any data on any website you visit. For example, the popular Google Translate extension on the Chrome Web Store, “ Privacy Practices, ” states that it collects information about your location, user activity, and website content. However, access to all data from all websites is not revealed to the user until the extension is installed.
Perhaps many users do not read the privacy policy carefully and automatically click Add to Chrome and start using the plugin immediately. As such, these extensions present an opportunity for cybercriminals to deliver adware and even malware that looks like harmless extensions.
Adware extensions have the power to modify the content displayed on websites and cause advertisements to be displayed on websites opened by users. In this case, the extension creator makes money when users click on the ad and visit the website. We may also analyze your search history and other data to improve the content of targeted advertisements.
If this extension turns out to be malicious, the situation is dire. By accessing the content of every website you visit, attackers can steal your card details, cookies, and other sensitive information. Let’s look at some examples.
Malicious document management tools
In recent years, cybercriminals have been actively spreading an adware extension known as the malicious WebSearch family. Those in this family usually mimic the tools they use for Office files, such as those that can convert Word to PDF.
Most of its extensions can actually perform that function. But after it is installed, it changes the browser homepage to another minisite. The site has a search bar, and affiliate links with tracking, and redirects users to third-party websites such as AliExpress and Farfetch.
The malicious add-on also changes the default search engine to something called search. myway. This allows cybercriminals to collect and analyze users’ search queries and display more relevant links based on their interests.
Currently, the WebSearch extension is no longer available in the official Chrome store. However, there are still places where it can be downloaded.
Adware add-ons that cannot be removed
Another popular adware extension, a variant of DealPly, sneaks onto users’ computers along with pirated content downloaded from questionable sites. It works much like the WebSearch plugin.
The DealPly extension similarly replaces your browser homepage with a mini-site containing affiliate links to popular digital platforms. Also, like malicious WebSearch extensions, it modifies the default search engine, analyzes user’s search queries, and so on to generate more customized ads.
Additionally, the DealPly family of extensions is very difficult to get rid of. Even if the user removes the adware extension, it will be reinstalled on the device every time the browser is opened.
AddScript leaving unnecessary cookies
The AddScript family of extensions masquerade as tools to download music and videos from social networks and proxy server managers. While downloading music and videos, it also uses malicious code to infect the victim’s device. The attackers then use this code to play videos in the background without the user’s knowledge and earn money based on the number of views.
Cybercriminals also make money by downloading cookies to victims’ devices. Cookies are generally stored on your device when you visit a website and act like a digital footprint. Affiliate sites usually promise to direct users to legitimate sites. But with the AddScript family of extensions, cybercriminals lure users to their sites. It then stores cookies on the user’s computer and guides them to the target site. This cookie allows the site to know where new customers are coming from and pay a fee to its criminal partners. This fee may be paid in return for the redirect itself, a percentage of the items purchased, or even for certain actions such as registration.
AddScript scammers abuse the mechanism with malicious extensions. Instead of sending users visiting real websites to partners, they download multiple cookies to users’ devices. These cookies act as beacons for the scammer’s partner program, and scammers using AddScript receive commissions. In fact, they are not attracting new customers. Their activity is aimed at infecting computers with malicious extensions.
to keep in mind
Browser extensions are useful tools, but you need to make sure they’re really safe. So, we recommend the following security measures:
Only download extensions from official stores. However, even this does not guarantee perfect security. Malicious extensions sometimes find their way into official stores.
Don’t install too many extensions and check the list of extensions regularly. If you find something you didn’t install yourself, that’s a clear red flag.