Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones.
Unfortunately, such tactics aren’t enough to deter cybercriminals. We have previously reported about a malware that manages to bypass this feature and install a malicious browser extension. We recently found that cybercriminals are also placing their malicious extensions in the official Web Store.
Spammed Facebook Messages
The first step of this particular attack begins on social media. A spammed message circulated on Facebook, with a link to a video related to drunk girls. Should the recipient click the link, he will be redirected to a site mimicking YouTube. A notification will appear stating that a particular Chrome extension must be installed so that the video can be viewed.
Figure 1. Fake YouTube site that requires installation of browser extension
Should the user proceed, he will be redirected to the official Chrome Web Store to download the said extension. After installing the extension, the user is redirected to a real YouTube video of drunk girls.
Figure 2. Browser extension is hosted in official Chrome Web Store
Figure 3. Users are redirected to the legitimate version of YouTube
Once installed, the malicious extension (detected as BREX_FEBIPOS.OKZ) can perform routines such as post statuses and comments on Facebook. It can also send messages and links via Facebook’s chat function, which may explain how the malicious extension spreads in the first place.
The Man Behind the Extension
Our investigation reveals that the author behind this particular extension hired a virtual private server (VPS) in Russia, where he registered several domains:
- meusvirais[.]info – C&C where the stolen data from infected users is sent. The stolen data refers to account credentials from popular online services like Google, Facebook and Twitter.
- cbrup[.]info – domain used to maintain software for breaking CAPTCHAS while stealing information. This server also receives stolen data.
- SuperFunVideos[.]info – used to register the extension at Chrome Store.
- brsupbr[.]info – not used in this attack
Data from the Smart Protection Network shows that majority of the users who accessed these sites came from Brazil. Other victims came from countries such as the UK, the US, and Argentina.
He has at least one more VPS that hosts about 30 different domains selling weight loss products, English language tutoring services, and work-from-home offers. He uses among.us as an online counter for his number of victims and Dropbox for hosting fraudulent pages.
More Malicious Extensions
We advise users to avoid clicking links from messages, even if they appear to come from friends or contacts. As this attack has shown, messages can actually come from compromised accounts. We also advise users to scrutinize browser extensions. Read reviews and check ratings before installing any extension. These may give users an idea if the extension truly does what it advertises or not.
The extension used in the attack is no longer available in Chrome Web Store. We have reported the other extensions to Google.
The SHA1 hashes of the malicious files are: