Malicious Chrome extensions promoted via Facebook
Malicious Chrome extensions are lurking on the official Chrome Web Store, warns Kaspersky Lab Expert Fabio Assolini, and the campaign for leading users to them starts on Facebook.
The messages appear on compromised accounts, tag several of the victims’ friends, include a link to a page hosted on one of several .tk domains, and offer no explanation.
The domains host a webpage in Turkish, urging visitors to download a bogus Google Chrome update and to install a “Chrome Guncellemesi” (“Chrome Update”) extension:
Those who opt to do so are redirected to the official Chrome Web Store, where the bogus extension is hosted:
The extension’s permissions show that its definitely not benign, as it can access the users’ data on all websites; read and modify their browsing history; access their tabs and browsing activity; manipulate settings that control websites’ access to cookies, JavaScript, and plugins; and more – and that’s not all.
“After installation on a user’s computer the extension does a number of malicious things; such as doing the action ‘like’ on several profiles of users and company pages, as part of a scheme to sell ‘likes’. It can also control your Facebook profile entirely, collect cookies, post in your wall, etc,” warns Assolini.
Even though Google has been informed of this and they have removed the extension in question from their web store, others are sure to pop up eventually.
Since Google stopped allowing the installation of extensions that are not hosted on the official web store and made silent installations impossible, cybercriminals have been left with no other option but trying again and again to plant their malicious extensions in Google’s store.