A new Spyware found in Google Chrome Browser extensions, downloaded more than 32 million times, as per reports.
According to Awake Threat Research Report,
- Found atleast 111 “malicious or fake” chrome extensions capable of taking screenshots,
- stealing login credentials
- capturing passwords as users typed them.
The campaign impacted a wide range of sectors including financial services, healthcare and government organisations, it added.
The research shows that this malicious activity is being abetted by a single Internet Domain Registrar: CommuniGal Communication Ltd. (GalComm), said Awake.
Awake examined that, By exploiting the trust placed in it as a domain registrar, GalComm has enabled malicious activity that has been found across more than a hundred networks. The malicious activity has been able to stay hidden by bypassing multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity.
What Awake Security Found?
Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools.
In the past three months alone, the security firm found, harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc, as per research.
To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020.
Google Removed Malicious Extension
According to Reuters report, a Google parent company Alphabet said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesman Scott Westover told Reuters.
“We do regular sweeps to find extensions using similar techniques, code and behaviors,” in identical language to what Google gave out after Duo’s report, Westover said.
Also Read: Browser Security
Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.
“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”