Earlier this week, Avast researchers reported that about 3 million people may have been infected by malware that has been hidden in at least 28 third-party extensions in Google Chrome and Microsoft Edge.
The researchers said that the malware is capable of redirecting user’s traffic to ads or phishing sites. This would allow attackers to steal victim’s personal data, birth dates, email addresses and active devices for example.
Some of the extensions that have been hit by malware include:
- Video Downloader for Facebook
- Vimeo Video Downloader
- Instagram Story Downloader
- VK Unblock
Avast’s threat intelligence team started monitoring the threat in November 2020 but given the fact that there have been reviews on the Chrome Web store that mention link hijacking from December 2018, Avast believe that the threat could have been active for years.
Users have reported that the extensions are manipulating their internet experience by redirecting them to other websites. This is accomplished by a user clicking on a link where the extension will send information about what the user clicked to the attacker’s control server, where the attacker can optionally send a command to redirect the victim from the legitimate link to a hijacked URL before eventually redirecting them to the legitimate link.
Avast researchers theorised that this attack is done so that the attackers can monetise the traffic, whereby for every redirection to a highjacked URL, the attackers would receive payment.
A security evangelist at PerimeterX cautioned against downloading any extensions that require a substantial amount of permissions, “If it requires any privileged access, such as to read or change data, or access to a broad set of sites one visits, it might be best to pass. Users should also keep their browsers updated and use anti-virus and endpoint security solutions. Website owners should look for solutions that can actively detect, manage and block malicious browser extensions on the client side.”