By Atif Mushtaq, CEO, SlashNext
Some of the most common and helpful ways to optimize web browsers are by adding extensions, such as those offered by Google Chrome. These typically small software add-ons can be attached to a browser for better functionality, ad-blocking and more. But the customizations and increase in productivity they provide don’t come without risk. In fact, malicious activity conducted through browser extensions as an attack vector is on the rise.
Researchers at CSIS discovered a new Android malware called Joker that conducted ad fraud and data theft from two dozen apps that garnered nearly 500,000 downloads from the Google Play store. Joker’s file was capable of stealing victims’ SMS messages, contact lists, and device information, plus covertly interacting with advertisement websites to generate fake clicks and sign up infected users with unwarranted premium service subscriptions.
Another infamous attack was on one of the most popular Chrome extensions, the Evernote note-taking, and organizing application. Over 4.5 million users have downloaded Evernote for their virtual notation, leaving their data susceptible to hackers who exploit a vulnerability that would allow cybercriminals to bypass Google Chrome’s security policies.
A cybersecurity organization called Guardio uncovered the hole back in June, discovering the vulnerability could enable attackers to gain access to users’ browsers and extract useful information. The flawed method in which Evernote interacted with websites allowed hackers to use cross-scripting techniques to circumvent the browser’s Same Origin Policy (SOP). SOPs prevent users from accessing information from web pages by utilizing scripts from other pages from the same source. Fortunately, following the discovery of this vulnerability, Evernote released a vulnerability patch in an update to fix the issue.
Earlier this year, hackers used an extension called single file, which allowed users to save and archive webpages as single HTML file, to spoof login pages and phish unsuspecting users’ credentials. Unfortunately, these are just two examples of the many instances of browser extension exploitation.
Fortunately, Google is responding to these issues. After announcing last fall that the company planned on increasing user protections for third-party extensions and other applications, Google is ramping up restrictions to reduce the exposure of user data. All extensions are only allowed to request necessary information in order to implement or update application features. Google is also requiring that extensions which handle users’ personal information to publish their privacy policies and meet updated cybersecurity guidelines.
However, the problem remains that browser extensions still don’t operate like web applications, meaning they are not protected by the same SOPs. Browser extensions are still a vessel by which attackers can “phish” users by using the extension to avoid the SOP protections maintained by the browser itself. Hackers can then extract user logins/passwords and access the victims’ accounts, empowering them to use the stolen credentials for malicious theft of money and data.
In a study published in January, researchers from the French institution Université Côte d’Azur, found that 197 extensions from various internet browsers, such as Chrome and Firefox, and were susceptible to the threat of malicious websites. These rogue sites had bypassed SOP protections and were able to gain access to victims’ information.
Cyber attackers are launching these malicious extensions under the guise of useful applications. By offering naïve users (often the employees of targeted organizations) a browser add-on for various tools such as grammar checks, archiving assistance, and more, hackers are able to carry out browser-based phishing schemes that ultimately trick victims into exposing their credentials and private information which the cybercriminals can then exploit.
This is all part of the great and growing problem of browser-based cybercrime. Most users are now well aware of the threat of email phishing attacks, but many don’t know just how numerous and widespread the rest of the attack landscape is. There are just so many options at hackers’ disposal — in addition to browser extensions and email, pop-up ads, social media, instant messengers, and more are all available attack vectors for malicious activity.
The responsibility definitely lies with the app stores themselves to vet the safety and security of incoming apps, which is no easy feat as there are many ways to bypass security tools looking for specific malware and attributes that can be masked with minimal coding.
As a security team, there are also a few steps that can be taken to reduce a user’s exposure. Cybersecurity awareness training and prohibiting new software downloads to corporate computers without the express authorization of the IT team are a couple of examples. Employers should also do their research to find effective and forward-looking cybersecurity solutions. Too many products are reactive and don’t proactively investigate real-time threats. These are some of the initial necessary measures organizations need to take toward protecting data from the abundant and dangerous threats that are plaguing users from browser extensions.
About the Author
Atif Mushtaq is the founder and CEO of SlashNext, the company pioneering a new, more effective way of protecting companies from the growing problem of Web-based phishing. Prior to founding SlashNext, Atif spent nine years at FireEye as a senior scientist, where he was one of the main architects of FireEye’s core malware detection technology. He has spent most of his career on the front lines of the war against cybercrime. He has worked with law enforcement and other global organizations to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo, and Grum botnets.