Malicious browser extensions can pose a real threat, exposing users who download them to data breaches or launching malware onto their computers. But when seemingly innocent ad campaigns drive users to download malicious extensions, how can publishers keep their readers safe? We sat down with security experts Yuval Shiboli and Amnon Siev to get their tips and recommendations.
But first, let’s review the basics of malicious browser extensions.
What is a malicious extension/add-on?
Malicious browser extensions are third-party extensions that install malware onto users’ devices, illegally access private user data, or include code that was deliberately created to conduct any type of criminal or bad behavior.
Browser extensions can be very attractive to criminals because, unlike apps, they run on users’ browsers and don’t have to be open all the time to allow malware to function. Criminals often target users in display or search engine ads by offering incentives like access to video downloaders (such as a Vimeo video downloader), streaming services, PDF conversion tools, an Instagram story downloader, and more. Once a user installs these browser add-ons, scammers can access their online activity and collect sensitive information about anything they do on their browser or even in their operating system.
In the past, it wasn’t hard to get malicious browser extensions through the security mechanisms in browser extension stores—successful ones could rack up over a million users in a short period of time. However, in recent years Google Chrome Web Store and web browser extension marketplaces for browsers like Firefox and Microsoft Edge have really cracked down on criminal activity and malicious code and extensions are no longer the easy route for online criminals.
To circumvent these security mechanisms, criminals often launch a legit extension that actually does what it claims to do. But with the extensions installed, a popup or push notification appears. When users click it, malware is downloaded onto the device or a phishing scheme is enabled. Popups can include anything from explicit private messages to seemingly innocent tech tutorials.
There are two main types of data phishing that are commonly conducted through browser extensions:
Passive: Passive phishing follows everything that you do on your computer, either recording everything that you type through keylogging or following your browsing history, something that is also known as sniffing.
Active: Active phishing involves impersonating trusted partners and trusted sources such as a credit card provider, and actively asking users for their personal information. They often claim to be looking into subscription issues, having trouble sending a verification email, or a variety of other ruses designed to convince a user to click on one of their links.
Examples of malicious browser extensions
The most common types of malicious browser extensions are PC cleaners and PDF converters that lead users to click on links with malware or links that expose them to phishing schemes.
Malicious PC cleaners
Figure 2: Windows Clickbait Pop-Up
“3 viruses found on your computer, click here to clean them.” If you’ve ever had a popup like that appear on your screen, you know that it can be tempting to click on the link and download an extension.
This type of extension is successful because people are aware of the threat posed by computer viruses. They also know that things like cached or copied files can slow their computer down and understand the need to periodically review and clean up their device. So when a helpful popup appears on their screen encouraging them to get rid of unnecessary or problematic files, they are often inclined to click on the links, which can lead to data breaches once the extension is installed.