Malicious Chrome Extensions Infect Over 100,000 Users
Security analysts at Radware have discovered seven malicious extensions in the official Chrome Web Store. These extensions disguised themselves as popular legitimate tools but were actually stealing user credentials, mining cryptocurrency, and engaging in click fraud. According to experts, the extensions were installed over 100,000 times. In one case, the malware even infiltrated a “well-protected network” belonging to a large, unnamed manufacturer.
Names of the Malicious Extensions
- Nigelify
- PwnerLike
- Alt-j
- Fix-case
- Divinity 2 Original Sin: Wiki Skill Popup
- Keeprivate
- iHabno
Researchers report that all the extensions were created by a single hacker group. They had been available in the Chrome Web Store since at least March 2018 and were mainly spread through social engineering and links on Facebook. These links led victims to a fake YouTube page that prompted them to install the extension.
How the Malware Worked
Once installed, the extension executed malicious JavaScript, turning the infected machine into a new part of a botnet. The malware stole Facebook and Instagram account credentials from victims, which were then used to further spread the malware among the victim’s friends.
Additionally, the malware forced infected computers to mine cryptocurrencies such as Monero, Bytecoin, and Electroneum. According to Radware, in just the last six days, the attackers earned about $1,000 through this method.
Google’s Response
Experts note that Google has not been idle. Four out of the seven discovered extensions were detected and removed from the Chrome Web Store by Google’s own specialists, despite the criminals’ use of obfuscation and other masking techniques. Unfortunately, the Nigelify and PwnerLike extensions remain active at the time of reporting.