[ad_1]
Three million Google Chrome and Microsoft Edge users could be at risk of data theft and phishing after researchers discovered malware hidden in multiple browser extensions.
At least 28 third-party extensions were found to contain malicious JavaScript that could download additional malware, according to Avast. The extensions themselves are primarily designed to help users download videos from some of the world’s most popular sites, such as Facebook, Vimeo, Instagram, and YouTube.
Avast claimed that the ultimate goal for those behind the scheme could be to monetize traffic by forcing users to visit third-party sites, for which they are then paid, although users could also end up on phishing sites.
“Every time a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the target of the actual link to a new hijacked URL before redirect them to the actual website they wanted to visit, ”explained the Prague-based security provider.
“This procedure compromises user privacy as a log of all clicks is sent to these third-party intermediary websites. Actors also exfiltrate and collect users’ dates of birth, email addresses, and device information, including first login time, last login time, device name, operating system. , the browser used and its version, including the IP addresses (which could be used to find the approximate geographical location history of the user) “.
At present, it is unclear if the extensions were deliberately created with malware hidden inside them, or if malicious actors waited for them to become popular and then released a malware-laden update.
“It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterward,” said Jan Rubin, Avast malware researcher.
“The extensions back doors are well hidden and the extensions only start to show malicious behavior days after installation, making it difficult for any security software to discover.”
Although Avast first spotted the threat in November, the vendor admitted that it could have been active for years.
Interestingly, if an infected user performs a web search on one of the malicious domains, the malware in question will cease activity on their machine to hide from view. Avast claimed that it will do the same if it detects that the user may be a web developer, although it is unclear how.
Since the extensions are still available, Avast recommended users disable or uninstall them.
