OSINT Academy

9 popular malicious Chrome extensions

Browser extensions are plugins that add functionality to your browser. For example, they can block ads on web pages, do markups, check spelling, etc. Each of us has probably installed various browser extensions at one time or another: an ad blocker, an online translator, a spell checker, an anti-fingerprint tracking program, or something else. However, few people stop to think: is it safe?

Studies have shown that many extensions are involved in a range of fraud, theft, advertising, and abuse of social networks. Rather than working as they are described, these extensions can be triggered by various types of web content that can trigger some illegal activity, which in turn can access personal information or damage devices.

browser extension

Popular malicious Chrome extensions

Google's Chrome browser is the most popular web browser in the world and supports more than 130,000 unique browser extensions. Most of these unique extensions are secure and supported by Chrome itself, but there are some popular extensions that have been determined to be "malicious". These malicious Chrome extensions may contain malware that could eventually compromise system security. The following list contains some of the most notorious extensions that Chrome users should be aware of.

1. Netflix Party

Netflix, the paid streaming service that allows only members to watch movies and TV shows on connected devices. The Netflix Party extension is designed to allow users to watch Netflix episodes simultaneously with friends or loved ones.

The extension has actually been open for use for many years, and in the last two years, due to the spreading effects of the COVID-19, Netflix Party has become widely used again, with the number of users showing an extremely rapid growth trend, with more than 800,000 downloads so far.

But in reality, the plugin tracks the digital footprint of users and injects affiliate links into the appropriate pages. The owner of the extension can even make a profit by selling the user's browsing history.

2. Netflix Party 2

Netflix Party 2, which has now been downloaded over 300,000 times, is similar to its predecessor Netflix Party in that it attempts to inject affiliate links into users' browsing. Notably, in order to evade detection, analysis and confuse researchers or wary users, this type of add-on - including Netflix Party 1 and 2 - may even include links or perform any malicious activity before injecting a time check that will delay its installation by 15 days to hide its malicious properties.

3. Full Page Screenshot Capture-Screenshotting

The Full Page Screenshot Capture-Screenshotting extension had been downloaded by more than 200,000 users before its malicious behavior was discovered. This extension, designed to take screenshots of web pages with one click, actually tracks user data and changes the location of certain cookies on e-commerce sites, disguising the user's original URL as a referral site.

4. friGate Light

friGate Light is designed to access locked websites and encrypt user traffic data. However, this extension is also embedded with malware that can be used to access user data. In addition, users who download this extension will be asked to provide friGate Light with access to sensitive data.

5. friGate CDN

Similar to friGate Light, friGate CDN is designed to provide users with access to blocked websites. This extension is also embedded with malware that allows access to sensitive user data. This extension also redirects users to secondary sites through its proxy to collect data and further infect devices.

6. SaveFrom.Net

SaveFrom.Net is a free website that supports downloading videos from Youtube, Facebook, Vimeo, Break and many other websites. It is easy to download by copying and pasting the video link into the search box in the middle of the website.

But at the same time, it also collects user data, such as IP address and browsing behavior, which has been or may be leaked when using the website.

7. SHARPEXT

SHARPEXT is well known in the field of email spyware. This extension was created and deployed by SharpTongue (also known as Kimsuky), a notorious malicious actor known for stealing and leaking private information including usernames and passwords.

However, SHARPEXT differs from the previously documented extensions used by the SharpTongue organization because it does not attempt to steal usernames and passwords. Instead, the malware examines and steals data from the victim's webmail account directly while they are browsing the web. Since its discovery, an internal version of the extension has evolved to version 3.0, which supports three web browsers and can steal emails from Gmail and AOL webmail, extract sensitive data and continuously monitor user behavior.

8. Hola VPN-The Website Unblocker

When a user needs to access a website or wants to watch a movie but encounters a firewall block, the result can be frustrating. Hola VPN is a free, unrestricted website unblocker designed to remove these barriers from the user's online experience. However, unlike a proper VPN, Hola acts as a peer-to-peer proxy network. This means that everyone using Hola is effectively "borrowing" another user's connection.

To make matters worse, Hola has been used as a giant botnet system. In exchange for a free service, Hola uses some of a user's free bandwidth to support other users' connections. In the past, Hola sold this bandwidth through the then-affiliated Luminati (now Bright Data) service. Malicious individuals used the system to launch DDoS attacks on major websites until the company rolled out stricter guidelines.

In addition, the malicious Chrome extension was riddled with a variety of other security vulnerabilities and flaws, as well as secretly tracking user behavior and unencrypted network traffic.

9. Dormant Colors Campaign

The campaign called "Dormant Colors" is not a malicious Chrome extension, but is in fact a combination of 30 unique and dangerous plugins that, horrifyingly, have been downloaded by millions of users. These extensions were injected with malicious code and molded into information-stealing extensions after they were initially introduced to the Web Store. Unfortunately, the campaign is still running despite the fact that many of the affected extensions have been deactivated.



Related Articles:

Search engines for pentester and security professionals
How to find sensitive data with Google Dork?
Is it possible for ChatGPT to eliminate search engines?
How to avoid dangerous Chrome extensions?
Open Source Intelligence: How to investigate domain names