Security researchers have uncovered a large-scale criminal surveillance operation that has impacted users of Google’s market leading Crome web browser.
According to Reuters, the spyware effort attacked users through 32 million downloads of extensions for the Chrome browser.
Chrome extensions have been compromised before and in 2013 in an effort to improve security, Google opted to disable the installation of Chrome extensions from third-party websites.
But that failed to resolve the problem.
In 2017 for example, compromised extensions hijacked Chrome users web traffic and exposed them to potentially malicious pop-ups and credential theft.
But now in a blog post, Awake Security announced that it had “uncovered a massive global surveillance campaign exploiting the nature of Internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments.”
“If anything, the severity of this threat is magnified by the fact that it is blatant and non-targeted – i.e. an equal opportunity spying effort,” the researchers warned. “The research shows that this criminal activity is being abetted by a single Internet Domain Registrar: CommuniGal Communication Ltd. (GalComm).”
GalComm is a small registrar, based in Israel.
The researchers said that by exploiting the trust placed in it as a domain registrar, “GalComm has enabled malicious activity that has been found across more than a hundred networks we’ve examined.”
“Furthermore – the malicious activity has been able to stay hidden by bypassing multiple layers of security controls, even in sophisticated organisations with significant investments in cybersecurity,” the researchers said.
Google in response announced that it has removed more than 70 of the malicious add-ons from its official Chrome Web Store, after being alerted by the researchers last month.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
It seems that most of the free extensions at the centre of the security scare, purported to warn users about questionable websites or convert files from one format to another.
But in reality these extensions “siphoned off browsing history and data that provided credentials for access to internal business tools.”
And what is very concerning, is the number of downloads these extensions achieved.
Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, Awake co-founder and chief scientist Gary Golomb told Reuters.
And it seems that it is proving difficult to identify who was behind the efforts to distribute the spyware.
Awake reportedly said the developers supplied fake contact information when they submitted the extensions to Google.
Awake told Reuters that Galcomm should have known what was happening.
But in an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”
Fogel said there was no record of the inquiries Golomb said he made in April and again in May to the company’s email address for reporting abusive behaviour, and he asked for a list of suspect domains. Reuters sent him that list three times without getting a substantive response.
But one security expert warned that users must be cautious when using third party browser extensions, as their security can never be 100 percent guaranteed.
“Browser extensions can be extremely useful and come with thousands of benefits – but you should remain cautious when you download anything to your machine,” explained Jake Moore, cybersecurity specialist at ESET.
“Being vigilant about extensions usually means reading the reviews but, in many cases, this still won’t be enough as some may not be legitimate especially as most browser extensions are free,” said Moore.
“There are, however, ways to stay more careful when downloading third party extensions,” he added. “Usually, they will ask for permissions to be granted for access to data or other information on your machine, which I recommend you don’t give. Google can’t ever guarantee 100 percent security on all of their third party add-ons so you must be careful.”
Another security expert noted that the malicious actors may have exploited the more relaxed rules of this particular developer ecosystem.
“Spyware, or other malware, finding its way into software repositories is a known risk,” said Boris Cipot, senior security engineer at Synopsys. “Indeed, this is simply an unfortunate by-product of a software development ecosystem that chooses to relax the rules in favour of greater quantities of software offerings. There is no doubt then that malicious actors will take advantage of this to distribute malicious code.”
“Users also need to be aware of the software they use,” Cipot added. “This includes, not only main assets such as Office or the Chrome Browser, but also the extensions that are installed with those assets.”
“These are all a part of the inventory list of software-used and should therefore, be tracked and handled appropriately,” he said. “More importantly, users should never install ‘untrustworthy’ software. In order to know whether the software is or is not trustworthy, it is important that you do your research. Who is the developer? What does the software do? Where is the data going? What can the software access? Are the software extensions well-maintained? Are there any existing vulnerabilities to be wary of?”
“Unfortunately, many often do not spend enough time doing this research,” he said. “This is a habit that then carries over into the work environment and puts organisations at risk.”
Do you know all about security? Try our quiz!
Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…
Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…
Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…
After axing 31 percent of its workforce when it failed to be acquired by Amazon,…
Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…
Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…