Malicious Chrome Extensions Infect Over 100,000 Users Again

An anonymous reader quotes Ars Technica: Criminals infected more than 100,000 computers with browser extensions that stole login credentials, surreptitiously mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google's official Chrome Web Store. The scam was active since at least March with seven malicious extensions known so far, researchers with security firm Radware reported Thursday. Google's security team removed five of the extensions on its own and removed two more after Radware reported them. In all, the malicious add-ons infected more than 100,000 users, at least one inside a "well-protected network" of an unnamed global manufacturing firm, Radware said...

The extensions were being pushed in links sent over Facebook that led people to a fake YouTube page that asked for an extension to be installed. Once installed, the extensions executed JavaScript that made the computers part of a botnet. The botnet stole Facebook and Instagram credentials and collected details from a victim's Facebook account. The botnet then used that pilfered information to send links to friends of the infected person. Those links pushed the same malicious extensions. If any of those friends followed the link, the whole infection process started all over again. The botnet also installed cryptocurrency miners that mined the monero, bytecoin, and electroneum digital coins.

AI

[110010001000]

Good thing we have AI to protect us from running malicious programs. Surely AI is able to do that?

Re:AI

Cue the msmash Al browser extension non-article in the next 15 minutes. And by Al, we mean a few hundred IF-THEN-ELSE statements written in Visual Basic.

Re:AI

[Ol+Olsoc]

Good thing we have AI to protect us from running malicious programs. Surely AI is able to do that?

Only if we implement blockchain though!

Re:AI

[Ol+Olsoc]

I’m starting up a new blockchain selling Fuckerberg shekels.

Bless you, for you are doing God's work!

Edge... LOL

[Lunix+Nutcase]

This is why I only run Edge. You never have to worry about anyone wanting to write malware for it when only three of us use it.

Re:Edge... LOL

[phantomfive]

Linx ftw!!

Re:Edge... LOL

It's lynx or links2, you stupid idiot.

Re:Edge... LOL

[Lunix+Nutcase]

What does a British funk band have to do with things?

Re:Edge... LOL

[phantomfive]

Dang it, I haven't used it in a decade!

Re:Edge... LOL

I also use Edge... at the office and I feel safe because even MSN sites don't work.

Chrome is a trojan

It cares about market share and tracking over the security of the user. Unfortunatley Firefox has also comprimised its values and therefore it’s extention safety for ads. This leaves users without a viable extention eco system because Edge and Safari extentions aren’t powerful enough and Pale Moon blocks extentions for political reasons. We need a powerful and secure extention system, we deserve better.

Re:Chrome is a trojan

[Ocker3]

How many of us are willing to pay for a license for something secure?

Re:Chrome is a trojan

[rojash]

Thats the dumbest thing I have heard. What makes you think a license makes it more secure ?? Ever heard of Windows ??

Re:Chrome is a trojan

[oldmac31310]

Extension.

Evidence that pointless OK buttons are horrible++

[Ocker3]

#rant I hate how many pointless message there are in so many pieces of software, I've actually been sitting with a user who was clicking Ok on Every box that came up and said "I just want it to work..." The problem was that one of the messages had a specific piece of text in it that I wanted so that I could fix the problem. So in amongst the chaff was some actual wheat. Perhaps we'll need to wait until the next generation (who've hopefully grown up knowing about code from primary school) comes along and knows more than so many currently do about what should and shouldn't be necessary to just watch a YouTube video.

Easy to stall this threat via hosts... apk

0.0.0.0 supportxmr.com
0.0.0.0 eu.bytecoin-pool.org
0.0.0.0 bytecoin-pool.org
0.0.0.0 etn.nanopool.org
0.0.0.0 nanopool.org
0.0.0.0 redirect39.info
0.0.0.0 redirect44.info
0.0.0.0 webminerpool.tk
0.0.0.0 cdn.webminerpool.tk
0.0.0.0 enogop.bid
0.0.0.0 pisime.bid
0.0.0.0 joforafi.club
0.0.0.0 kivpadax.bid
0.0.0.0 dovri.bid
0.0.0.0 kolis.bid
0.0.0.0 yeniti.bid
0.0.0.0 checksystem.space
0.0.0.0 checksystem1.space
0.0.0.0 checkpost.space
0.0.0.0 hgameklub.com
0.0.0.0 kifrafs.life
0.0.0.0 mxoonlites.com
0.0.0.0 cyank.com
0.0.0.0 lnlinvdeoa.com
0.0.0.0 soeqpai.com

* SOURCE of data is the article used on /.

APK

P.S.=> I'm currently porting APK Hosts File Engine to 64-bit Linux via FreePascal & Lazarus IDE (GTK type, I could do QT etc.) per noting it to 1 of my "troll fanclub" https://it.slashdot.org/comments.pl?sid=12087142&cid=56584104/ - so if you want more protection vs. more threats than just this one, via hosts + an easy to use GUI, it's coming for 64-bit Linux users too soon enough... apk

Re:Easy to stall this threat via hosts... apk

[DontBeAMoran]

shouldn't that be 127.0.0.1 ?

Google: the gift that just keeps on giving

Google: the gift that just keeps on giving,

Amirite, Google Asshole Shawn Willden, or amirite?

NPAPI

I remember times when Chrome started to block NPAPI to save us from malicious programs
and now we have tested and stable platform for those programs called Chrome.

Re:NPAPI

Tested and Stable? I must be using a different chrome.

Powerful all-present platform ...

[Qbertino]

... breeds dangerous all-powerful problems. As Chrome OS and chrome-style new-gen powerbrowsers and the neat and nifty open web gain more and more ground this is a problem that the company pushing the web - Google - will need to address. Thoroughly. If they don't want their plan to fall flat on its face that is.

I personally find it very encouraging that the web has finally reached the power it once only had with the all-present Flash and where at the point where we can do basically anything on an open cross-platform technology. Stuff like this however I find discouraging. ... If you push to much of universal computing into the web, more and more malware pusher will adopt and problems like these are likely to increase. Google will have to work on containing this.

Re:Powerful all-present platform ...

[blackest_k]

This has been going on for years and google knows it has too. A couple of years back I had a slashdot story posted about it. This problem was raised to board members within google and still there are malicious extensions within googles extension repository.

Re:Powerful all-present platform ...

If you push to much of universal computing into the web, more and more malware pusher will adopt and problems like these are likely to increase. Google will have to work on containing this.

Yes, Google probably has to work harder to screen extensions, but ...

The extensions were being pushed in links sent over Facebook that led people to a fake YouTube page that asked for an extension to be installed.

... if you follow a Facebook link to a YouTube video to get you to install an extension in Chrome, then very little can be done to protect you and your computer, because apparently you're just going to click yes and enthusiastically do something stupid

This is purely people falling for something they don't understand, and voluntarily installing random crap.

Guarding against that is almost impossible.

Re:Powerful all-present platform ...

Google - will need to address. Thoroughly. If they don't want their plan to fall flat on its face that is.

The official Google response: "Digitally Sign ALL THE THINGS with our private key and lock out anything that doesn't verify against it. Everything must be stored in Google Drive so we can scan it for malware."

Google won't "fix" this issue anymore than Microsoft / Apple / or the various Linux Distros will fix this issue. The problem isn't one of authorization, it's a problem of never making the trust decision in the first place. The people deciding what can run are too far removed from the actual device running it to actually know whether it's a good or bad thing. Meanwhile most users don't care enough about the device or it's data to make informed decisions, but will whine and bitch when their decisions break it. Sure, the manufacturers can ban the obvious attacks, but beyond that, their ability to protect end users is severely limited. Without the end user being trustworthy enough and caring enough to make a decision on trust, the only solution they have is to ban everything by default, and assume guilt until proven innocent. That's a bad road to travel, not just due to the security risks involved for all, but also due to the perverse incentive it makes for the manufacturers as gatekeepers to control the market.

As for this "web" problem, the solution was simple from the get go: Quit randomly executing code from a remote source. The original web specification never had remote execution capabilities and interactive APIs in it. It was a document viewer. Of course if you tack on interactive APIs and remote execution to stuff it's going to create issues. The fact that they attached it to a network client was even more reprehensible. When they did this they effectively said: "The net will be trusted to control our devices." You can't "fix" that problem. As long as the code you're executing is being fetched from a remote source, you will have this risk because you've externalized the issue of trust.

If you want universal computing, you need universal APIs and standards to implement it, but the last thing you should do is mandate that the entire program be stored in the cloud somewhere. The web should just be storage, the executable bits should be local. TL:DR As long as it's in the cloud, you have to re-verify it every time you use it. You have no trust by default.

Oh, one other thing: TLS certs are not the answer either. Those are created by people most have never met nor will meet, and do not account for bugs / vulnerabilities in the original / official code. TLS certs are just proof of possession, not of identity. You can't use a TLS cert to verify ownership, all you can use it for is to verify that the bits did not change since whoever signed it with the key. There is absolutely no way for a device to know whether or not one set of bits was signed by you VS. some hacker if they are signed with the same key. That's the reason why the PS3 private key leak was so bad. Everyone could pretend they were Sony with that key. The same is true for whoever possesses a private key, the device considers them the key's owner. Assigning trust to such a system, without any form of further verification, is beyond incompetent.

Which...

[hcs_$reboot]

...ones?

time to give up

[AndyKron]

Is it time to give up on computers yet thanks to shitful humans? I am.

Re:time to give up

[rojash]

You going fishing rest of your life huh

Installation dialog on web page load ? really ?

[herve_masson]

Can anyone tell me why the browser displays an "Install XYZ extension" dialog when loading a web page?
We all know that people simply click on "Ok" no matter what is shown on these dialogs.

It seems to me that the installation of an extension should be entirely manual: go to the extensions page, find the extension by its name, check the information, click on "Install the button", review options such as "give access to ", click on "Validate".

I doubt that people would make this way easily; it would be likely to filter out many abuses.

It's not like we need to install dozen extensions every day ; convenience features to help extension installation is useless & dangerous.

Re:Installation dialog on web page load ? really ?

Boy are you gonna be surprised the legacy firefox nerds are gonna wake up and read your post.

Re:Installation dialog on web page load ? really ?

And why is skype extension always installed by default in windows, chrome never shows this dialog? And why does chrome hide the settings to block third party cookies? and many more things chrome doesn't want you to turn off.

Re:Installation dialog on web page load ? really ?

[herve_masson]

Yes. And very sadly, same is true for firefox, which is a real shame.

You = The "SiDeWaLk-ShRiNk of /.", lol

See subject (lol) & the viral hit by "The SoyBoyz": ''If you're going to TransManCisco? Be sure you wear your jimmyhats + bring Preparation H there. If you're going, to TransManCisco... You're going to meet a lot of transtesticle monsters and soyboy not men there. All across the nation: Surgical sawblade vibrations! Surgeons in motion, Sawing peckers + ball off tossing them into the SF Bay Ocean...'

* They're playing YOUR SONG again - hahahaha classic!

(Only way "your kind" would EVER get any notice &/or notoriety...)

APK

P.S.=> Quit projecting your own mental issues onto me as you cut & paste MY posts all over /. ... apk

Kill off javascript already...

Just get rid of javascript/any client side scripting altogether and end this crap once and for all.

Who on earth thought it was a good idea to be able to download and execute any old random code from any old random website on a local machine ? No amount of sandboxing or access control is ever going to prevent this sort of crap. It's mind bogglingly stupid.

Browsers should serve static pages that are dynamically built on the server. End of discussion.

Javascript is cancer of the internet.

Re:Evidence that pointless OK buttons are horrible

The paradigm is broken. Any message you need to fix a problem should go to a log file. Never send a message to a user expecting that they will be able to identify your problem for you.

No for internal parse speed, BUT... apk

See subject: When you go thru the File Open/Read-Write/Close (flush-close on I/O for append etc.) it's less to parse thru per line & faster by 2 chars per line & does SAME JOB blocking afaik - BUT (here's the 'but') I heard some MORONS say "0.0.0.0 on servers is not a block but rather open to all ports" which is TOTAL BULLSHIT afaik & am concerned vs. 127.0.0.1 which FORCES the IP stack to work vs. just blocking outright (sending it to limbo) - I refuse to BELIEVE the designers of the IP stack would be that f'ing dumb in fact to create 2 diff. functionalities based on servers vs. workstations (hardware-wise OR software-wise - now, some dumbshit doing a webserver might've F'd THAT up in HIS ware, but as far as the OS is concerned, I doubt it).

* In my APK Hosts File Engine I offer you BOTH methods of conversion though (stupid to use 127.0.0.1 for blocking though due to the overheads per line on load OR parse above).

You PENGUINS are in for a REAL TREAT when I finish this for Linux (GTK based) - I've designed it BETTER & am about 3/4 of the way done already since I built it for Windows long ago in mid 2012, it saved me TONS of work in FreePascal & Lazarus IDE (which to tell you the truth I am TOTALLY LIKING along w/ KUbuntu 18.04 latest/greatest - last time I tried it, it was 10.10 & in 2010 - it's gotten REALLY NICE - you f'ers (lol) MAY find ME turning into one of you "penguins" yet!

Why?

Heck - I've already done a 5 THINGS in it (filter/dedup/false positives remove) BETTER & FASTER + MORE EFFICIENTLY vs. the Windows build is why!

(I learn as I go, especially on rewrites into "other" languages (Object Pascal in Delphi & FreePascal are ALMOST IDENTICAL though, thank goodness)).

APK

P.S.=> Nicest part is once this Linux build is done, Loading PC-BSD & doing it there is cake, then sending the code to my nephew @ Apple is an EASY COMPILE for MacOS X after that - based on how it's going so far? I may even RECOMPILE the Windows one in FreePascal & Lazarus vs. Delphi XE4 it's done in now (only thing I notice is a LARGR .exe size from FreePascal though)... apk

Go a head...

[MerlTurkin]

...keep using Facebook you idiots!