Google removed 106 Chrome browser extensions Thursday from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data. In the research, also published Thursday, Awake Security alleged millions of Chrome users have been targeted by threat actors. The attackers used the Google Chrome browser extensions to not only steal data, but also to create persistent footholds on corporate networks.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said Scott Westover, a Google spokesperson, in a statement.
While Google has long policed its Chrome Web Store for rogue browser extensions, what is unique about this malicious effort was that it was allegedly part of a coordinated and “massive global surveillance campaign.” Researchers also assert that the campaign was aided by the internet domain registrar CommuniGal Communication Ltd. (GalComm).
Galcomm owner Moshe Fogel told the news agency Reuters that his company was unaware of the malicious activity and had done nothing wrong.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel told Reuters. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
GalComm, researchers alleged, enabled malicious activity by those behind the browser extensions by allowing them to cloak their activities. Researchers said that the domain registrar allowed criminals to bypass “multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity.”
“In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions,” researchers wrote. “These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.”
Gary Golomb, co-founder and chief scientist of Awake Security, wrote in a technical breakdown of the threat, “Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60 percent, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools. Through a variety of evasion techniques, these domains have avoided being labeled as malicious by most security solutions and have thus allowed this campaign to go unnoticed.”
Over 100 networks were abused, giving threat actors a foothold on financial service firms, oil and gas companies, healthcare and pharmaceutical industries and government organizations. Golomb said browser extensions are the “new malware,” explaining that critical business applications like Microsoft 365, Google services, Salesforce and Zoom are browser dependent.
“Passively targeting these applications with malicious browser extensions is akin to the new attacker rootkit,” he wrote.
In February, Duo Security uncovered a similar campaign. It found that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions were downloaded millions of times from Google’s Chrome Web Store.
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.