Browser Extensions, an Overlooked Phishing Attack Vector

A browser extension adds functions and features to your browsers. If you are like me, you are probably using them daily. The Chrome Web Store has over 180,000 extensions, ranging from productivity tools to shopping, games, and more. I use a password manager extension to generate unique and complex passwords to keep my online credentials safe. I use an extension that checks my grammar as I type, so my emails are actually readable. These extensions install quickly and easily, and once they are installed, they save me time and effort. The appeal and adoption of browser extensions to consumers are naturally attracting the attention of cybercriminals. 

Browser extensions can only be downloaded from their official stores. They are vetted by Google, Microsoft, and Safari before they can be listed for download. If this is the case, how do malicious extensions make their way into the official stores? There are many reasons, but here are a few:

  • Browser extensions can be hijacked. All major web browsers, including Google Chrome, automatically updates a user’s installed browser extensions when new versions are available. When a developer’s account is compromised, it can be used to push malicious updates to already installed extensions, as was the case with a popular Web Developer extension for Chrome
  • Browser extensions can be sold. Developers are approached by companies with offers to buy their extensions. Once an extension is sold, the new owners can update it with malicious features and upload it to the Chrome Web Store, and all the existing users are now using the new company’s version. This happened to a favorite extension Particles for YouTube in 2017
  • The initial vetting process is not perfect, allowing some malicious extensions to bypass the safeguards and get listed

Users download the extensions from the official app stores, but the journey doesn’t always begin there. SlashNext’s Threat Lab found that users are directed to the extension stores through ad networks that appear on benign websites and search results. The ad networks, typically with multiple redirects, takes visitors to a lure page with an install/continue button (Figure 1). Clicking on the continue button opens the official Chrome Web Store (Figure 2). Users assume the extension is benign, since it’s from the official store, and install it without realizing what lurks beneath. Once a malicious extension is installed, it can do anything. It can insert advertisements into your search results, redirect your search traffic to phishing webpages, and it could even function as a keylogger to steal your MS O365 login credentials.


Ad Network Phishing Lure Page

Figure 1: Ad Network Lure Page


Google Store Malicious App

Figure 2: Chrome Store Malicious Extension

SlashNext sources over a 10 million URLs and internet transactions daily, from passive DNS feeds, phishing traps, hardware sensors, and suspicious ads networks, just to name a few. Our Threat Lab has uncovered over a thousand rouge browser extensions in the official extension stores. Our phishing protection solution prevents users from downloading rogue browser extensions while reinforcing positive user behavior. When our solution blocks a threat, we display a screenshot of the lure page and a detailed description of the blocked threat, to always remind users to be vigilant (Figure 3).


Figure 3: SlashNext Block Page with Screenshot of Malicious Browser Extension

SlashNext Browser Phishing Protection shields employees from live phishing sites with a lightweight browser extension available for all major browser. With a browser warning and safe preview, users who attempt to browse to a malicious site are blocked and receive an informative warning page allowing them to access a safe preview screen shot of the blocked page along with detailed information about the threat. Users can also report the incident and request support.

Join our webinar on August 26 at 10 AM PT to see how SlashNext’s deep machine learning speeds the inspection of billions suspicious URLs/IPs/Host/Domains to detect threats real-time, and how our browser extensions make for easier deployment and management particularly with a distributed workforce.

Register today /webinar-mobile-the-new-battleground/

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.