These 4 malicious Chrome extensions are infecting more than half a million users

These 4 malicious Chrome extensions are infecting more than half a million users

Google Chrome is currently the most widely used web browser in the world, currently grabbing more than 55 percent of the web browsing market. People flock to it because of its speed, multi-platform integration, user-friendliness, incognito mode and, of course, the large assortment of third-party extensions available.

Chrome browser extensions are similar to what apps are to your smartphone. They add extra functionality to your browser and extend its usability beyond your typical web search and browsing activities. Click here to read more about Google Chrome extensions.

The similarities don’t end there. Again, like mobile apps, there will always be bad apples among the thousands of extensions available. Take these four extensions that were found to be harboring suspicious code. Fraudsters may be using them now to exploit your computer resources for their financial gain!

Suspicious extensions

Change HTTPS request header

Researchers from cybersecurity company ICEBRG have revealed four Chrome extensions that were found to be loaded with suspicious code.

They reported that the malicious extensions were all available on the official Google Chrome Store and they have been installed by over half a million Chrome users around the world.

The offending Chrome extensions are as follows:

  • Change HTTP Request Header
  • Nyoogle – Custom Logo for Google
  • LiteBookmarks
  • Stickies – Chrome’s Post-It Notes

These extensions are suspected to be generating profit for their creators via fake ad clicks and search engine optimization (SEO) manipulation.

ICEBRG also warns that these extensions can be used by attackers to gain access to corporate networks and user information.

How does this scam work?

According to ICEBRG’s blog post, the company’s security researchers discovered the suspicious activity while investigating unusual spikes in outbound web traffic from a client’s workstation to a European virtual machine provider.

They traced back the web traffic spike to the Chrome extension called “Change HTTP Request Header.” The researchers noted that the extension itself does not contain any “overtly malicious code” but it did contain two functions that can be combined to enable malicious JavaScript code to execute.

This JavaScript code can then redirect outside traffic through the victim’s Chrome browser, forcing it to visit ad sites that pay per click. All the revenue generated by these fake clicks is then collected by the fraudsters.

The exploit can also be used by the fraudsters to browse internal sites of the victim’s own network and, more importantly, the same tools can be used by an advanced hacker to gain a “beachhead into target networks.”

Based on the similarity of tactics, ICEBRG has tagged the three other extensions, namely, “Nyoogle – Custom Logo for Google,” “LiteBookmarks” and “Stickies – Chrome’s Post-It Notes,” to be related to the suspicious “Change HTTP Request Header” extension activity.

What is Google’s response?

Armed with its findings, ICEBRG has already informed pertinent parties such as the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), the Google Safe Browsing Operations team and affected ICEBRG clients about the malware.

In response, Google has already removed the four questionable extensions from the Chrome Web Store.

Keep in mind that removal of the malicious extensions from the Chrome Web Store does not remove it from the victim’s Chrome browser. You may have to uninstall these extensions manually.

How to remove Chrome extensions

Here’s how you uninstall a Chrome extension:

  1. In your Chrome browser, click the “hamburger” icon (note: three horizontal lines) at the top right corner
  2. Hover over More Tools then click Extensions
  3. You will now be directed to a page with all your installed extensions
  4. To remove an extension, click on its trash icon (located on its right side)
  5. Click Remove on the popup window to confirm

For more technical details, click here to read ICEBRG’s full post.

Have a question about the Chrome browser? Kim has your answer! Click here to send Kim a question, she may use it and answer it on her radio show. The Kim Komando Show is broadcast on over 450 stations. Click here to find the show time in your area. 

Google products may be crashing your Wi-Fi

In other news, Google products like Chromecast are reportedly crashing people’s Wi-Fi networks. Click here to get the full story.

Tags: cybersecurity, Google, Google Chrome, malware, security, web browser