Nowadays, browser extensions can be a major security weakness if it is not appropriately addressed. The problem is with the malicious extensions, which deserve clear attention. The malicious extensions can cleverly attack supply chains by using obfuscating methods and hide the attacks. It then becomes difficult to detect and protect against cyber-attacks.
Many extensions don't need any special permission to run on one's mobile phone or computer. The extension tools are powerful, and they have the same ability as any user account to access data in the browsing session that comes upon a user's session. Sometimes people install extensions in the heat of the moment. They come across web pages offering better viewing with extensions, and without thinking, people click on them.
The exploitation of Browser extensions
Browser extensions are backdoors for botnets. This malware infects a system through a single remote-controlled attack on a computer network. A bot is a malware that is remote-controlled by an attacker and infects a computer by carrying out its commands. This type of attacker is known as bot-herder, and each machine under this attacker is called a bot. From a centralized point, the attacker can simultaneously carry out a coordinated criminal action. This enables an attacker to carry out large-scale activities that were previously not possible with a single malware.
The remote attackers who control the botnets ensure that infected machines can receive updates and change their behavior on the move. This enables a bot herder to rent out the botnet segments to the other hackers in the black market and make financial gains.
The above scenario recently came to light when a Singapore-based company known as Infatica. jio rented out botnet access to 10+million Web browsers so that those clients can hide their true identity or internet IP address. This action would mean using the browser's extension code in their creations.
Informatica has demonstrated how shadowy companies influence developers to maintain browser extensions from popular software such as Google, Microsoft, Apple, and Mozilla. They influence users to download extensions on their desktops and mobile devices to enhance their browsing experience.
Many of these extensions have gained millions of users. But the main catch is that as the number of users user base grows, it is difficult to maintain them with frequent software updates. Responding to the user's request for support services takes a long time for the developer. These extension developers do not have much scope for earning financial compensation for the work done by them. When a botnet company comes up with a lucrative offer to either buy an extension or pay the developer for including their code for a fee, it is difficult to ignore such an offer.
Companies like Infatica, lookout for developers having extensions with 50000+ users. If the extension developer agrees to incorporate Infatic's code, it gets anything between $15 to $45 every month for every 1000 users. This amount of money can be substantial and recurring income every month.
Some of the common botnet actions:
Email spam is still in vogue today, which is a known chosen line of attack. The spam botnets are large and are used mainly to send out mass spam emails that often include malware. Each bot can have a massive number of spams. For example, the “Cutwail” botnet can send up to 74 billing messages per day. Apart from sending spam messages, they are also used for recruiting new computers to the bot network.
DDoS ransomware attacks on organizations are used for leveraging large scales of botnet on a network or server, making it inaccessible to its original users. They decrypt it only after receiving the ransom money.
Financial botnets such as the “Zeus” botnet is used for breaching bank accounts or stealing credit card information. This financial theft is direct, and millions of dollars are stolen from multiple accounts quickly.
The supply chain is another sector that is now the target for attackers. Recently the solar wind episode became big news. Cybersecurity firm FireEye discovered malicious actors gained access to numerous public and private organizations around the world.
They trojanized SolarWinds’s Orion IT monitoring and management software as SUNBURST and reached the victims. The supply chain compromise included data theft and lateral movement. Highly skilled actors did this campaign with plenty of operational security.
Cybercriminals lookout for outdated browser extensions to compromise. They exploit abandoned and unused extensions as malware spreaders by installing special backdoors in an extension code. Either they purchase it outright from the original developers or pay a fee to insert their codes. Many popular browser extensions have not been updated for years.
A cybersecurity firm, Avast, has published a report in which it talks about how attackers manipulate evil extensions to browsers. Avast tracked down an extension known as “Cache Flow," which rides on top of Google Analytics traffic to hide its network operations. This gives them the leverage to pass on the user details from the data analytics to attackers.
Google recognized the threat of the extension Cache flow. To protect itself, it began to limit the ways of extension installation by users. The process of getting a browser from anyone’s website was blocked since 2018, and the only safe and legitimate way to get an extension was from Google Chrome Web Store. Google monitors the extensions on its Storefront. It automatically sends out the latest updates, and when it finds out that an extension is compromised, it eliminates it.
One can check out and see what extensions are being used by the system by clicking on the three-dot column, which appears on the top right corner of a browser. By selecting the 'More Tools' option in the menus and then 'Extensions.' One will see which extensions have been installed and their details. Then, one can decide whether to restrict the extension to a specific website or delete any of them if it is unrecognizable.
Cybersecurity experts point out that one should not agree to any extension updates if sudden requests for more permissions than a previous version. This request could be a red flag.
Going forward, one should be careful when installing browser extensions; it is better to remain with those actively supported, say Google play store. Another way to protect is by using Avast Secure Browser based on Chrome code and is available for Windows, Mac platforms, and Android and iOS mobile devices. This browser comes with a special extensions guard setting that blocks any new extensions from getting.