Browser extensions are small blocks of code that allow users to customise the browsing experience and add additional features and functionalities to a basic browser. These features can include blocking advertisements, changing the appearance of web pages, grammar-checking your writing, and much more. Extensions can be downloaded typically for free from official browser provider sites, for instance Chrome’s, Safari’s, and Mozilla’s online stores, or from other sites. As they improve the convenience, productivity, and efficiency of browsers for both personal and work-related activities, extensions have become increasingly popular.
Browser extensions, however, are not always as secure as they look, and can pose a significant challenge to cybersecurity. As a matter of fact, extensions can be easily downloaded with just one click, typically have full access to the contents of any web page the user loads and can handle sensitive data. This has made extensions a valuable target for threat actors.

Malicious extensions, and “good” extensions gone bad

Seeing the popularity of browser extensions, cybercriminals have found ways to package malware inside seemingly legitimate extensions. As a matter of fact, these add-ons may impersonate legitimate and popular extensions, or may have legitimate and helpful functions in addition to the malicious ones. Malicious extensions allow threat actors to perform many illicit activities, including spying on users’ web activity, and stealing sensitive data, including passwords, and personal and financial information.

Threat actors have also managed to distribute malicious extensions through browsers’ official marketplaces. In 2020, Google found and subsequently removed over 106 extensions from the Chrome Web Store, which had been downloaded over 32 million times. These malicious extensions were responsible for tracking and stealing sensitive information, including passwords, and could even take screenshots. The users who had downloaded these malicious extensions included businesses as well, giving threat actors access to financial services firms, oil and gas companies, and healthcare and government organisations.

The most popular type of malicious extension are those containing adware. Threat actors insert unwanted software in the extensions that allows them to generate revenue by automatically displaying a high number of advertisements on users’ screens. The second most popular type, are extensions that contain malware, that can track users’ activity, steal information, gain access to users’ cameras and photos, and access users’ emails and sensitive data. Legitimate extensions can also turn into malicious ones at a later time. In fact, legitimate extensions can be hijacked or bought by threat actors, who can then push updates containing malicious code, which will inject malware into the extension.

According to Kasperky’s findings, between 2020 and 2022 almost 7 million users have attempted to download malicious browsers extensions, of which 70% were infected with adware.

How to stay protected

To avoid inadvertently installing malicious extensions there are some elements to pay particular attention to:

• First, it is essential to consider whether the extension is really needed, as even some legitimate extensions can negatively affect the browser ‘s performance. Before installing an extension, it is recommended to check its publisher, and go to the official website to download it, rather than relying on the results of search engines. This way, users can avoid installing extensions from unofficial sources.
• Another useful tip is to carefully read the permissions that the extension requires, for instance access to the users’ camera or geolocation, and assess whether these permissions are worth it for the specific extension. By visiting browser forums users can check whether anyone else has complained or raised flags on an extension. Once the extension is installed, it is important to keep an eye out for suspicious and unusual behaviour, for instance if there is a significant increase in the amount of adverts displayed on the users’ screen. Lastly, if an extension is no longer used, it is always recommended to remove it, in order to decrease the potential attack surface that threat actors could exploit.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference list

• https://www.bleepingcomputer.com/news/security/malicious-browser-extensions-targeted-almost-7-million-people/
• https://www.forbes.com/sites/adrianbridgwater/2019/04/16/how-browser-extensions-work/?sh=19fa47b8674c
• https://resources.infosecinstitute.com/topic/how-to-spot-a-malicious-browser-extension/
• https://www.techradar.com/news/chrome-and-firefox-extensions-stealing-customer-data
• https://www.techradar.com/news/millions-of-us-are-using-malicious-browser-extensions-without-realizing
• https://thehackernews.com/2022/08/malicious-browser-extensions-targeted.html
• https://threatpost.com/google-yanks-106-malicious-chrome-extensions/156731/
• https://www.wired.co.uk/article/fake-chrome-extensions-malware
• https://securelist.com/threat-in-your-browser-extensions/107181/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.