Google Chrome Extensions Hit by Surveillance Campaign

Cybersecurity firm Awake released its findings from a several-month investigation into a malicious spy campaign this week, detailing how specific Google Chrome extensions were utilized by attackers to target millions.

According to the report, attackers used 15,160 malicious websites and 111 Chrome extensions, which were downloaded 33 million times. Anyone who accessed those sites or downloaded the extensions was likely exposed.

Google Chrome extensions are a way to enhance and customize a user’s web browser. CNN Business explains that popular extensions include adblockers, one that allows multiple laptops to stream Netflix simultaneously, and one that can flag suspicious websites.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network,” said Awake in a press release.

Google has since removed the extensions.

“We appreciate the work of the research community, and when we are alerted of extensions … that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson Scott Westover said in a statement provided to CNN Business. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”

However Awake found, perhaps alarmingly, that this was a sophisticated attack that the malicious actors designed to “avoid detection by state-of-the-art security tools,” according to the report.

The cybersecurity sleuths traced the extensions back to Israeli-based internet domain company CommuniGal Communication Ltd. (GalComm). The extensions were able to “take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, [and] grab user keystrokes (like passwords).”

Investigators claim that GalComm “enabled malicious activity,” which could explain how attackers surpassed security measures. GalComm denies any involvement.

“GalComm is not involved, and not in complicity with any malicious activity whatsoever,” GalComm owner Moshe Fogel told Reuters.

Additionally, Fogel said most of the domain names cited by the report were inactive, but that his company will continue its own investigation.

Still, this isn’t the first time Google Chrome Extensions have been the gateway for attackers, with independent researcher Jamila Kaya exposing an attack on Cisco Systems’ Duo Security that reaped the data of an estimated 1.7 million users.

+ posts


Share on facebook
Share on twitter
Share on linkedin
Share on email

Subscribe to get the latest consumer news

More consumer News