Uncovering Malicious Browser Extensions in Chrome Web Store

Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones.

Unfortunately, such tactics aren’t enough to deter cybercriminals. We have previously reported about a malware that manages to bypass this feature and install a malicious browser extension. We recently found that cybercriminals are also placing their malicious extensions in the official Web Store.

Spammed Facebook Messages

The first step of this particular attack begins on social media. A spammed message circulated on Facebook, with a link to a video related to drunk girls. Should the recipient click the link, he will be redirected to a site mimicking YouTube. A notification will appear stating that a particular Chrome extension must be installed so that the video can be viewed.


Figure 1. Fake YouTube site that requires installation of browser extension

Should the user proceed, he will be redirected to the official Chrome Web Store to download the said extension. After installing the extension, the user is redirected to a real YouTube video of drunk girls.


Figure 2. Browser extension is hosted in official Chrome Web Store


Figure 3. Users are redirected to the legitimate version of YouTube

Once installed, the malicious extension (detected as BREX_FEBIPOS.OKZ) can perform routines such as post statuses and comments on Facebook. It can also send messages and links via Facebook’s chat function, which may explain how the malicious extension spreads in the first place.

The Man Behind the Extension

Our investigation reveals that the author behind this particular extension hired a virtual private server (VPS) in Russia, where he registered several domains:

  • meusvirais[.]info – C&C where the stolen data from infected users is sent. The stolen data refers to account credentials from popular online services like Google, Facebook and Twitter.
  • cbrup[.]info – domain used to maintain software for breaking CAPTCHAS while stealing information. This server also receives stolen data.
  • SuperFunVideos[.]info – used to register the extension at Chrome Store.
  • brsupbr[.]info – not used in this attack

Data from the Smart Protection Network shows that majority of the users who accessed these sites came from Brazil.  Other victims came from countries such as the UK, the US, and Argentina.

He has at least one more VPS that hosts about 30 different domains selling weight loss products, English language tutoring services, and work-from-home offers. He uses among.us as an online counter for his number of victims and Dropbox for hosting fraudulent pages.

More Malicious Extensions

Unfortunately, this isn’t the only malicious extension we’ve spotted in the Web Store. We have seen several potentially malicious extensions in the site. At first glance, these extensions immediately appear suspicious. They are recently published, have no description for their supposed function, or have duplicate names. Some of them even have the same “author” as the malicious ones. Upon a closer look, these extensions have obfuscated JavaScript code. Making matters worse, the number of downloads for these extensions ranges in the thousands.

We advise users to avoid clicking links from messages, even if they appear to come from friends or contacts. As this attack has shown, messages can actually come from compromised accounts. We also advise users to scrutinize browser extensions. Read reviews and check ratings before installing any extension. These may give users an idea if the extension truly does what it advertises or not.

The extension used in the attack is no longer available in Chrome Web Store. We have reported the other extensions to Google. 

The SHA1 hashes of the malicious files are:

  • b7d2c9d221e0e04ffb8090d3067c9b8ee50967e0
  • 027a7f5474168be5e8f8cba16bee3703c5b7e2ee

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Uncovering Malicious Browser Extensions in Chrome Web Store

Read more: Uncovering Malicious Browser Extensions in Chrome Web Store

Story added 11. September 2014, content source with full text you can find at link above.