Content, Breach

How Hackers Infiltrated Google Chrome Web Browser

Millions of Google Chrome users worldwide have been robbed of money and personal credentials by hackers planting hundreds of dodgy extensions into the browser as part of an enormous surveillance campaign, new research said.

Unsuspecting Chrome devotees have downloaded the venomous extensions some 33 million times as cyber infiltrators have listed them at a furious rate in the Chrome Web store, a newly released Awake Security report found. In the last three months alone, Awake said it pinpointed more than 111 “malicious or fake” Chrome extensions capable of taking screenshots, reading clipboards, harvesting credential tokens stored in cookies and snatching user keystrokes to exfiltrate sensitive data. Financial services companies, healthcare organizations and government agencies are among multiple industries the tentacled operation has touched to gain footholds in corporate networks, the report said.

While legitimate extensions add features and capabilities to Chrome, the counterfeits don't enhance but instead detract. Their distinctive attribute appears to be an ability to avoid detection by skirting multiple layers of security controls even in organizations with muscular cyber defenses. The release of a trove of malodorous browser extensions of that magnitude calls into question the ability of traditional security solutions to detect activity of that nature. And, it surfaces the inattention of oversight and accountability on the internet’s infrastructure.

Owing to Chrome's dominance in the browser market, the fallout from systematically contaminating the platform cannot be overestimated. Chrome is by far the highest browser peak globally, commanding 68 percent of the desktop market and 64 percent of the mobile market, according to researcher NetMarketShare’s figures. No competitor even contends: Firefox holds eight percent of the desktop market while Apple’s Safari holds 27 percent of the mobile segment. More than three billion people globally use Chrome, according to one measure.

In perhaps a bit of hyperbole, Gary Golomb, co-founder & chief scientist of the Santa Clara, California-based Awake, pinned responsibility for the subterfuge solely on a single domain registrar, the Israel-based CommuniGal Communications (GalComm), calling it the internet’s “New Arms Dealers.” He claimed GalComm had “aided and abetted” malicious activity across more than 100 networks. According to Awake’s data, of the 26,079 reachable domains registered through GalComm, roughly 60 percent, or 15,160 domains, were at the very least suspicious, hosting traditional malware and browser-based surveillance tools. Here's a list of those domains. The fake Chrome extensions apparently used GalComm domains for attacker command and control infrastructure and also as loader pages.

“If anything, the severity of this threat is magnified by the fact that it is blatant and non-targeted—i.e. an equal opportunity spying effort,” Golomb said. Of note, as of last month, the 33 million downloaded crooked extensions found by Awake only accounts for those available on the Chrome Web store. Very few have been downloaded more than 10 million times, he said.

Moshe Fogel, GalComm’s owner, denied Golomb's accusations. "GalComm is not involved, and not in complicity with any malicious activity whatsoever," he told Reuters. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

Cleansing the Chrome store of corrupted extensions is a regular course of business for Google. In the aftermath of Awake's notification to Google last month, the vendor reportedly deleted more than 100 malignant add-ons from the Chrome Web store. “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” a Google spokesperson told Reuters. The company conducts “regular sweeps” to unearth extensions similar to those flagged by Awake's researchers, the spokesperson said.

For example, last February, Duo Security researchers, aided by Google's search of the Web store, discovered 500 fraudulent Chrome extensions used by hackers to upload browsing data to servers the attackers controlled. In that case as in this, the extensions were downloaded millions of times. Most of them used advertising lures to trick victims into visiting contaminated web sites.

This online blitz is different than prior episodes of polluted browser extensions not only for its size but also because it engenders a higher level of user mistrust of the internet's foundations and illuminates three areas of the web that need securing:

  • Poor oversight of domain registrars provides a platform that enables criminals and nation-states to deliver malicious code without consequences.
  • Passively targeting major applications with malicious browser extensions gives adversaries virtually unfettered access to sensitive business and personal information.
  • Many traditional approaches to security have a blind spot to poisonous browser extensions.

“Enterprise security teams would do well to recognize that rogue browser extensions pose a significant risk especially as more of our digital life is now conducted within the browser,” Golomb wrote. “Moreover, this threat is one that bypasses a number of traditional security mechanisms, including endpoint security solutions, domain reputation engines, web proxies and cloud-based sandboxes. Security teams should, therefore, hunt on an ongoing basis for the tactics, techniques and procedures to compensate for the technological shortcomings.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.