More and more services are available online without an additional software client. The secret is that they all run directly in Internet browsers. Those browsers have also been adapted over time and offer the possibility to add extensions, for thousands of different purposes. However, cyber criminals have been taking advantage of this situation for several years now and it will not stop. Kaspersky has a new report about this particular threat.
Download browser extensions
Browser extensions, also known as add-ons, are usually downloaded from official marketplaces or browser provider repositories, such as the Chrome Web Store or the Firefox Add-ons website. These platforms generally have: processes to check if an extension is benign or could be a form of malware, but some experienced malware developers may still be able to bypass those checks. In 2020 there were 106 browser extensions DELETED from the Chrome Web Store, which is used to steal user data, take screenshots, or even steal credit card information from web forms.
However, it is also quite common for some add-ons developers to offer their work on their own website and allow the download and installation of their add-ons in the browser.
Browser extensions: the risks
Even without talking about malicious add-ons, some extensions can be harmful to the user, as it collects a lot of data from the web pages that the user visits, thereby creating a complete profile of the person browsing the data and possibly knows way too much about him/her. This data may be shared or sold by the add-on developer to advertisers or other third parties. In the worst case, the data is not anonymized and sold raw.
Another risk is that once an add-on is installed, it can be updated without the end user having to do anything, meaning that a legitimate add-on could suddenly be compromised and start spreading malware, such as happened with the CopyFish add-on. A developer can also stop developing his/her tool and sell it or give it to another developer, who may… turn it into malware.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Malicious add-ons statistics
Kaspersky analyzed data between January 2020 and June 2022 and provided statistics on this threat.
Since 2020, they have been blocking downloads of malicious add-ons for 6,057,308 users, most of them in 2020 (Figure A).
Image A

As can be seen from the chart, H1 2022 has already almost reached the level of the entire 2021 year and is likely to increase in the latter part of the year.
Malicious payloads
The most common threat proliferating through browser extensions is adware, which consists in having code in the extension to display unwanted ads in the browser while the user browses websites. Those ads are pushed by affiliate programs in an effort to drive more potential customers to their websites (Figure B).
Figure B

Kaspersky researchers indicate that adware represents about 70% of the entire threat from browser extensions.
The second most common threat is malware. Most malware is aimed at stealing login credentials, cookies, and data copied to the clipboard. While the main use of this type of malware is to steal valid website credentials and credit card information, it can also be used for cyber-espionage. Between 2020 and 2022, 2.6 million unique users experienced malware download attempts.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Threat Examples
Kaspersky offers several examples of malicious extensions, two of which really stand out.
WebSearch
H1 2022 showed WebSearch as the most common threat, with 876 924 unique users. The threat mimics tools for working with documents, such as .DOC to .PDF file converters and document mergers, among others.
It changes the user’s browser home page and provides links to third-party resources. The transition to these resources is done through affiliate links. As written by Kaspersky, “the more often users follow these links, the more money the extension developers make.”
The default search engine has also been modified to one that can capture, collect, and analyze searches to promote relevant partner sites in the search results (Figure C).
Figure C

The smart thing about it is that the add-on still provides the functionalities for which the user installed it, usually PDF converter, so the user does not uninstall it.
It is not available on the Chrome Web Store, but can still be downloaded from third-party sources.
FB Stealer
One of the most dangerous family of malicious browser extensions is currently FB Stealer, which aims to steal Facebook cookies in addition to changing the search engine. The cookie theft allows an attacker to log into the victim’s Facebook account and take full control of it, often changing the password to kick out the legitimate user before using the account for various scams. FB Stealer is installed in the browser by malware, not by the user.
What happens is that users download Nullmixer malware and get infected, often disguised as a cracked software installer. Once executed, it silently installs the FB Stealer browser extension malware on the computer.
How to protect against those threats?
It is recommended to always keep the browser up to date and patched. It is also strongly recommended that all browser data be analyzed by security products.
Most malicious add-ons require additional privileges to function fully. Users should always carefully research the privileges requested by any new add-on they install.
Add-ons should only be downloaded from trusted sources, as malicious add-ons are often distributed through third-party sources where no one checks their security, like official online stores do.
Finally, users should regularly check their installed extensions and verify that it is still really necessary. If not, it should be removed.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.