Kaspersky researchers analyzed the risks that seemingly harmless browser extensions pose to users and the activities of cyber criminals who hide their threats under plug-ins. In the first half of 2022, more than 1.3 million users were affected at least once by threats hiding in browser extensions. That’s more than 70 of the users affected by the same threat throughout 2021. Threats in browser extensions can imitate popular applications such as Google Translator or extensions with useful features such as PDF Converter or Video Downloader to display advertisements, collect data about users’ browsing history and steal login credentials. This makes them one of the most sought after tools for cyber criminals.

Since the start of 2020, Kaspersky products have prevented nearly 6 million users from downloading threats hidden behind browser extensions. In the first half of 2022, Kaspersky researchers saw a significant increase in the number of affected users. During this time, 1.3 million users experienced plugin threats. Although we are only in the middle of 2022, more than 70 users have been affected by the same threat in the past year. The most obvious threat spreading under the guise of browser extensions is adware. This is unwanted software designed to display advertisements on the screen. These types of ads often browse browsing history to attract users, place banners on web pages, or redirect them to affiliate pages where developers can monetize instead of legitimate search engine ads. From January 2020 to June 2022, Kaspersky experts determined that more than 4.3 million unique users encountered adware lurking in browser extensions. This means that about 70 of all affected users face this threat.

In addition, malicious and unwanted add-ons have also been found to be distributed via official marketplaces. In 2020, Google removed 106 malicious browser extensions from the Chrome Web Store. These were used to steal sensitive user data such as cookies and passwords and to take screenshots. In total, these malicious extensions were downloaded 32 million times and compromised millions of user data.

However, this does not happen often. Third party sources are the main way malicious plugins are distributed. One of the threat families analyzed by Kaspersky researchers in the report, FB Stealer, spread only through untrusted sites. FB Stealer is one of the most dangerous threat families because in addition to traditional search engine replacement and affiliate page redirection, it can also steal Facebook users’ login credentials.

When users tried to download a pirated software installer from third-party sources, such as SolarWinds Broadband Engineers Keymaker, they in fact ingested a dangerous NullMixer Trojan. Next, NullMixer installed FB Stealer, which seemed less suspicious to the user because it imitated the harmless and default-looking Chrome extension “Google Translate”.

After launching the NullMixer Trojan FB Stealer, it is able to extract Facebook session cookies (the bits stored in the browser that contain users’ login credentials) and send them to the attackers’ servers. For example, with these cookies they can quickly log in to the victim’s Facebook account. Once in the account, the attackers ask the victim’s friends for money and try to extort as much money as possible before the user regains access to the account. After all, users who download a decoy installer from an unknown source face an unexpected threat and many friends lose their money.

Kaspersky Senior Security Researcher Anton V. Ivanovsay: “Even browser extensions that do not contain malicious payloads can sometimes be dangerous. For example, when the developers of these plugins sell collected user data to other companies, they may expose their data to people who shouldn’t see it. Users may wonder if browser extensions that can pose so many threats are worth downloading. I am also an active browser extension user and I believe that add-ons improve the online experience. Some extensions, such as password managers, can make devices much more secure. Here it is very important to pay attention to how reputable and trustworthy the developer is and what permissions the extension asks for. If you follow the recommendations for safe use of browser extensions, your risk of threats is minimal.”

You can read the Securelist report to learn more about the dangers of seemingly harmless browser extensions.

To protect yourself from threats hiding in browser extensions, Kaspersky recommends the following:

• Use only trusted sources to download software. Malware and PUAs are often distributed via third party sources, where no one checks their security like official online stores do. These apps can install malicious or unwanted browser extensions and perform other malicious activities without the user’s knowledge.
• Extensions add extra functionality to browsers and require access to various resources and permissions to do so. Please review plugin requests carefully before accepting them.
• Limit the number of extensions you use at the same time and check your installed extensions regularly. Remove any extensions you no longer use or recognize.
• Use a proven security solution. Kaspersky Internet SecurityThe private browsing feature in . helps you prevent internet tracking and protect you from threats.

Source: (BYZHA) – Beyaz News Agency