Malicious browser extensions can pose a real threat, exposing users who download them to data breaches or launching malware onto their computers. But when seemingly innocent ad campaigns drive users to download malicious extensions, how can publishers keep their readers safe? We sat down with security experts Yuval Shiboli and Amnon Siev to get their tips and recommendations.
But first, let’s review the basics of malicious browser extensions.
What is a malicious extension/add-on?
Malicious browser extensions are third-party extensions that install malware onto users’ devices, illegally access private user data, or include code that was deliberately created to conduct any type of criminal or bad behavior.
Browser extensions can be very attractive to criminals because, unlike apps, they run on users’ browsers and don’t have to be open all the time to allow malware to function. Criminals often target users in display or search engine ads by offering incentives like access to video downloaders (such as a Vimeo video downloader), streaming services, PDF conversion tools, an Instagram story downloader, and more. Once a user installs these browser add-ons, scammers can access their online activity and collect sensitive information about anything they do on their browser or even in their operating system.
In the past, it wasn’t hard to get malicious browser extensions through the security mechanisms in browser extension stores—successful ones could rack up over a million users in a short period of time. However, in recent years Google Chrome Web Store and web browser extension marketplaces for browsers like Firefox and Microsoft Edge have really cracked down on criminal activity and malicious code and extensions are no longer the easy route for online criminals.
To circumvent these security mechanisms, criminals often launch a legit extension that actually does what it claims to do. But with the extensions installed, a popup or push notification appears. When users click it, malware is downloaded onto the device or a phishing scheme is enabled. Popups can include anything from explicit private messages to seemingly innocent tech tutorials.
There are two main types of data phishing that are commonly conducted through browser extensions:
Passive: Passive phishing follows everything that you do on your computer, either recording everything that you type through keylogging or following your browsing history, something that is also known as sniffing.
Active: Active phishing involves impersonating trusted partners and trusted sources such as a credit card provider, and actively asking users for their personal information. They often claim to be looking into subscription issues, having trouble sending a verification email, or a variety of other ruses designed to convince a user to click on one of their links.
Examples of malicious browser extensions
The most common types of malicious browser extensions are PC cleaners and PDF converters that lead users to click on links with malware or links that expose them to phishing schemes.
Malicious PC cleaners
“3 viruses found on your computer, click here to clean them.” If you’ve ever had a popup like that appear on your screen, you know that it can be tempting to click on the link and download an extension.
This type of extension is successful because people are aware of the threat posed by computer viruses. They also know that things like cached or copied files can slow their computer down and understand the need to periodically review and clean up their device. So when a helpful popup appears on their screen encouraging them to get rid of unnecessary or problematic files, they are often inclined to click on the links, which can lead to data breaches once the extension is installed.
Malicious PDF Converters
If you’ve ever needed to convert an image file like a JPG or PNG to PDF format, search results likely led you to a variety of platforms and apps that help you do so. In fact, user behavior analysis shows that some of these types of platforms have over a million users directed from a given search engine.
Users download PDF converter extensions and for the most part, they actually do convert the file to PDF. He or she moves onto a new tab, and forgets about the extension altogether. But the extension keeps working, collecting telemetry data, phishing, or conducting some other type of illegal activity.
Can an extension contain malware?
Malicious third-party extensions put users and their devices at risk of a ransomware or malware attack, phishing, or having their private information exposed in through sniffing and keylogging.
A bad extension exposes users to many different types of malicious code including malware, and ransomware. It can also introduce other malicious functionality like exploiting a device for cryptocurrency mining without the users’ knowledge. Last but not least, infected extensions often enable mitigation of sensitive information by sniffers and keyloggers who focus on stealing data like usernames, passwords, login credentials credit card numbers, Google search history, and other private information.
How to detect a malicious extension?
The best way to detect a malicious extension is through in-depth text, image, and keyword analysis based on machine learning models, supplemented by blacklists created through thorough research.
As mentioned above, leading browsers like Chrome have made a significant effort to manage extensions, protect users, and detect malicious extensions on their platforms. Therefore, malware built into the extension itself is often picked up by the store filters, or in-depth reviews.
Yuval explains that some extensions are still able to get through the store filters, so he and other security researchers have also created blacklists of bad actors in the field, carefully tracking their methods and language on an ongoing basis. These blacklists allow the experts to detect adware hiding extensions that get past less discerning filters.
Yet blacklists alone aren’t enough in his opinion, since criminals often use adware to redirect users and lead them to install malicious extensions using a variety of ruses. Due to the many layers of this type of fraud, they are beyond the capacity of simple ad blockers that don’t have the capacity to assess what happens after a user clicks on the link in an ad.
“Only in-depth text, image, and keyword analysis based on machine learning models can find problematic extensions and the campaigns that lead to them, even if they’re not on a blacklist,” Yuval explains.
How to get rid of a malicious extension?
To get rid of malicious extensions, you need to block the ad campaign that lead users to install them. Publishers need a real-time blocking solution that specializes in detecting issues on landing pages and attacks that happen post-click.
“Blocking anything malicious in advertising campaigns is an important first half of the equation. But although it provides security, blocking alone can kill a publisher’s revenue stream. Therefore, it’s critical that ad quality technology refreshes the ad unit, presenting the user a different ad, so as not to impact the publishers monetization,” says Amnon.
Both experts agree that full protection requires a solution robust enough to detect new campaigns, extensions, and domains using in-depth text, image, and keyword analysis, as well as cross-checking blacklists. It has to perform in zero time and identify ads across the publisher’s entire ad inventory replacing them with alternative ads to prevent a loss of revenue.
GeoEdge does all that and more. Learn how it works here.