Researchers from the Awake Security Threat Research Team have uncovered a massive spying campaign using malicious Chrome browser extensions. According to a post on Awake’s official website, domain registrar CommuniGal Communication Ltd. (GalComm) is using Google Chrome browser extensions to surveil civilians and various industries worldwide. GalComm had been considered to be a trustworthy source, and it was this trust that was allegedly leveraged to enable the campaign, according to Awake.
Awake researchers published the following statistics about the campaign (the words in emphasis are Awake’s own):
Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools... In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.
Because GalComm was considered a trusted domain registrar, anti-malware scanners did not flag the Chrome extensions as malicious. This would allow GalComm to have unmitigated access to those that downloaded its extensions. The extensions have been downloaded 32,962,951 times, and this number only includes Chrome extensions. Google has since purged the Chrome extensions from its store, but third-party extensions are still out in the wild. Google has had problems with malicious extensions in the past.
GalComm owner Moshe Fogel denied Awake’s allegations in an email exchange with Reuters. In this exchange, Fogel was quoted as follows by Reuters:
GalComm is not involved, and not in complicity with any malicious activity whatsoever... You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.
Industries targeted by this Chrome browser extensions spying campaign, according to Awake, include “financial services, oil and gas, media and entertainment, health care and pharmaceuticals, retail, high-tech, higher education, and government organizations.” This entire ordeal has called into question the vetting process that domain registrars undergo. If GalComm had been correctly flagged, none of this damage would have taken place. Security professionals are using Awake’s research to determine a plan of attack that prevents something like this in the future.
Featured image: Pixabay