- Koi Security researchers found almost two dozen browser add-ons spying on users
- The add-ons were tracking visited sites and communicating with remote C2 infrastructure
- Users were likely compromised along the way
Many Google Chrome and Microsoft Edge browser add-ons, including several prominent products, were found to be spying on users and communicating with a third-party server, in what appears to be a supply-chain attack with millions of victims.
Security researchers from Koi Security were recently looking into a seemingly benign Chrome add-on called “Color Picker, Eyedropper — Geco colorpick” which allows users to quickly identify and copy color codes from any point within their browser.
While working as advertised, and having thousands of downloads and positive reviews, the add-on also did something in the background – it hijacked browser activity, tracked the websites users were visiting, and communicated with remote C2 infrastructure. This prompted the researchers to investigate further, leading to the discovery of an entire web of add-ons, all doing similar things.
How to stay safe
They named the campaign Operation RedDirection, and counted 18 add-ons, cumulatively compromising 2.3 million users across Chrome and Edge.
The entire list of add-ons can be found here – it includes VPNs, site “unblockers”, weather forecast add-ons, emoji add-ons, and more.
The researchers also determined that these add-ons were not malicious from the get-go. They were simple, clean products that were most likely hijacked somewhere along the line. Many have hundreds of positive reviews, and some were featured in prominent places on the Chrome Web Store.
Most were removed from the Play Store, but according to BleepingComputer, “many of them continue to be available”. Although it wasn’t clearly specified, it’s safe to assume they’re available through third-party stores and standalone websites.
If you were running any of the add-ons from the list, you should remove them immediately, clear browsing data, and run a full system scan using an updated antivirus solution.
It would also be wise to replace any passwords stored in the browser, as well as other sensitive auto-fill data. Data breaches are becoming increasingly common, with almost a third of enterprises experiencing a breach despite increased cybersecurity investments. You can see whether your information is affected using the popular breach checking website HaveIBeenPwned?
As well as identity theft protection software, users can keep themselves secure by being ultra cautious of any unexpected communications, thoroughly checking any emails and texts they receive, and never clicking on any untrusted links.
Via BleepingComputer
