According to Kaspersky, in H1, 2022, 1,300,000 attempts were made to install malicious browser extensions, which is a substantial increase from 2021, when 1,823,263 attempts were made for the entire year. From January 1, 2020, to June 30, 2022, 6,795,056 attempts were made by 4.3 million users of Kaspersky software to install malicious browser extensions.
There are many legitimate browser extensions, such as ad blockers, spell checkers, to-do lists, and PDF readers, which can improve productivity and efficiency, with the most popular browser extensions installed on more than 10 million devices; however, these extensions are not always what they seem, and some can pose a serious security risk.
Browser extensions may provide the services they claim to offer but can also include illegitimate functions. Browser extensions may impersonate legitimate extensions and can appear high up in the lists of browser extension stores due to keyword stuffing, and can perform a range of malicious functions. Just because the extensions can be downloaded from official stores does not mean that the extensions are legitimate or that they do not include malicious functions.
For example, in 2020, Google removed 106 malicious browser extensions from its Chrome Web Store. Those extensions were used to steal sensitive information such as cookies, passwords, and payment card information, with some of the extensions also able to take screenshots. Those 106 extensions had been downloaded more than 32 million times. These malicious extensions can put individuals at risk of identity theft and fraud, but businesses are also targeted. A malicious extension can give a threat actor a foothold in the network of a business.
Browser extensions can collect vast quantities of sensitive information if they are given permission to read and change all data on all websites. Some developers of browser extensions may sell that data to third parties, and the information that is shared or sold may not be fully anonymized. Developers of these extensions may decide to sell the product to a third party. If the extension is purchased by a bad actor, malicious functionality can be added to the extension without the knowledge of users.
Kaspersky notes that that happened with an extension called Particle, which had around 30,000 users. The extension was sold and the purchaser modified the extension to inject ads into websites for all 30,000 users without their knowledge.
Browser extensions are by far the most common method used to deliver adware. Kaspersky’s telemetry data shows that in 70% of cases, the malicious extensions included adware or serving targeted advertisements to users. These adverts often contained affiliate links and were used to snoop on users’ browsing activities.
In 1H, 2022, the most common threat was the WebSearch family of adware extensions, which can collect and analyze search queries and redirect users to affiliate sites. The extensions often mimicked productivity tools such as PDF converters and document merging utilities.
The second most common threat was AddScript, which was used to attack 156,698 users. This threat runs in the background and has the ability to download videos from the internet and run them in the background to increase ad revenue on YouTube channels. The adware can also download affiliate cookies that allow commissions to be made on purchases made through the browser.
DealPly was the third most common threat, which was often bundled with pirated software that is offered on peer-to-peer networks. Registry keys are added to ensure persistence. If the user uninstalls the extension, it is downloaded again and added to the browser. DealPly is also used to promote affiliate sites through the user’s search queries.
Care should always be taken when adding extensions to browsers. Browser extensions should only ever be installed through official stores, but even then, care should be taken. One thing users should be alert to is the permissions requested by the extensions. If a browser extension requests excessive permissions, such as requiring access to the browsing history and geolocation information, or has the ability to take screenshots when these permissions are not necessary for the extension to perform its functions, it is best not to install it. It is also recommended to conduct periodic reviews of extensions and to remove any that are no longer used.