Google Chrome browser extensions targeted by massive spying campaign

Researchers from the Awake Security Threat Research Team have uncovered a massive spying campaign using malicious Chrome browser extensions. According to a post on Awake’s official website, domain registrar CommuniGal Communication Ltd. (GalComm) is using Google Chrome browser extensions to surveil civilians and various industries worldwide. GalComm had been considered to be a trustworthy source, and it was this trust that was allegedly leveraged to enable the campaign, according to Awake.

Awake researchers published the following statistics about the campaign (the words in emphasis are Awake’s own):

Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools... In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.

Because GalComm was considered a trusted domain registrar, anti-malware scanners did not flag the Chrome extensions as malicious. This would allow GalComm to have unmitigated access to those that downloaded its extensions. The extensions have been downloaded 32,962,951 times, and this number only includes Chrome extensions. Google has since purged the Chrome extensions from its store, but third-party extensions are still out in the wild. Google has had problems with malicious extensions in the past.

GalComm owner Moshe Fogel denied Awake’s allegations in an email exchange with Reuters. In this exchange, Fogel was quoted as follows by Reuters:

GalComm is not involved, and not in complicity with any malicious activity whatsoever... You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.

Industries targeted by this Chrome browser extensions spying campaign, according to Awake, include “financial services, oil and gas, media and entertainment, health care and pharmaceuticals, retail, high-tech, higher education, and government organizations.” This entire ordeal has called into question the vetting process that domain registrars undergo. If GalComm had been correctly flagged, none of this damage would have taken place. Security professionals are using Awake’s research to determine a plan of attack that prevents something like this in the future.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

The new brain drain: What if WFH tech employees don’t come back?

Offices are reopening, but after months of a work-from-home routine, many employees may not want…

9 hours ago

Amazon Fraud Detector generally available

Online payment frauds are a threat to any company doing business on the Web. Amazon…

12 hours ago

Identity and access management sector buzzes with new funding, partnerships, solutions

Because no organization wants to end up in the headlines for a data breach, there…

15 hours ago

Remove virtual machines and virtual hard disks completely with PowerShell

Deleting virtual machines is easy, but if you don’t also remove virtual hard disks, you…

1 day ago

Secure your WordPress website: Simple steps to stay safe

Many small businesses use WordPress to build their website. And while WordPress has many options…

2 days ago

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

4 days ago