HUGE Google Chrome Spyware Ring: 111 Add-ons,15K Domains

Thought Google Chrome was safe? Think again. Researchers have found an enormous mess of browser extensions that spy on you.

The spyware is said to be installed in almost every company and organization they looked at, “across financial services, oil and gas, media … healthcare … retail, high-tech … education and government.” The researchers are pointing the finger at a domain registrar known as Galcomm, which denies involvement.

While Google has taken down the extensions, commentators criticize the search-cum-advertising company for not being more proactive.

We need to wake up to the potential of browser add-ons to do bad things. In today’s SB Blogwatch, we open the Chrome Extensions page and get paranoid.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: memeolicious.


GOOG FAIL

What’s the craic? Joseph Menn reports—“Massive spying on users of Google’s Chrome shows new security weakness”:

 Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month: “When we are alerted of extensions … that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

It is unclear who was behind the effort to distribute the malware. [But] all of the domains in question, more than 15,000 … in total, were purchased from a small registrar in Israel, Galcomm. … Galcomm owner Moshe Fogel [said] his company had done nothing wrong: “Galcomm is not involved, and not in complicity with any malicious activity whatsoever. … We cooperate with law enforcement and security bodies to prevent as much as we can.”

Best headline writer of the day? Tim “chicken dinner” Anderson—“Chrome extensions are ‘the new rootkit’ say researchers”:

 Researchers [are] making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google’s store. [They found] a bunch of malicious browser extensions, 111 in total [and] 79 were available in the Chrome store, the official source for Chrome browser extensions (and also now usable by Microsoft’s Chromium-based Edge).

A point made by the researchers is that widespread enterprise migration to the cloud often also implies that business activity is frequently done within the browser. … No need to break into the operating system if valuable data can be extracted via the browser alone. … If the user can be tricked into allowing it, a browser extension can have considerable power.

[They] said the security industry is complacent about malware that extracts data, which is often labelled as “PUPs, Adware or Greyware” by most antivirus products, understating the risk it poses. … The researchers pointed the finger at ICANN, which oversees the accreditation of registrars, for doing little to enforce requirements such as responding quickly to “well-founded reports of illegal activity. … Even these minimal requirements from ICANN … are not being followed by Galcomm.”

Who raised the alarm? Awake Security’s Gary Golomb all-but accuses Galcomm of being a “Malicious Domain Registrar”:

 [We] uncovered a massive global surveillance campaign exploiting the nature of Internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments. … This criminal activity is being abetted by a single Internet Domain Registrar: CommuniGal Communication Ltd. (GalComm).

Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious. … We have harvested 111 malicious or fake Chrome extensions using GalComm domains.

Critical and popular applications like Microsoft 365, Google, Salesforce, Workday, Facebook, LinkedIn and Zoom live in our Internet browsers. … Rogue browser extensions pose a significant risk.

These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc. … Awake has since worked with Google to take down these extensions from the Chrome Web Store.

We believe registrars like GalComm can effectively function like cyber arms-dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences or oversight. … CIOs, CISOs and security teams in enterprises around the world are subject to extraordinary levels of audit, oversight, and accountability. … How is it that the same does not apply to organizations like registrars?

Those who cannot remember the past are condemned to repeat it. lamer01 channels George Santayana:

 [It’s] ActiveX all over again. … The hubris of IT people never ends. Make something that’s easily extensible = security nightmare.

Whose intellectual close friends get to call him TeeCee: [You’re fired—Ed.]

 Once upon a time, all your work was done with applications running on an O/S. Many times it was found that weaknesses in the OS permitted the underhand installation of nasty things that could compromise your applications. Over many years OS security was improved until such things became, largely, a thing of the past.

Then we moved all your work into the browser. … Rinse, repeat.

Who could possibly have seen that coming?

Is this part of a wider pattern? ThePhysicist alleges an allegation:

 There is a web intelligence company in Israel that is known to buy popular browser extensions like “Web of Trust” and use them to exfiltrate browsing data (with tons of sensitive and personal information). They have been called out for this several times already. … Firefox isn’t better than Chrome in that regard BTW, as it also turns a blind eye on this kind of data collection.

It still boggles my mind how you can call a browser secure … and at the same time allow such blatant abuse. … I and other people have been pointing this out since at least 2016 and demanded better security controls … but I’m getting really tired of it.

It’s still so easy … to install add-ons that spy on your entire browser session and send tons of telemetry data to a backend. … Such behavior shouldn’t be something that can be turned on with two clicks.

O RLY? USER100 scribbles:

 Stop the press. … In other news, ‘Bears Defecate In Woods’, ‘Pope is Catholic’

Plus shocking expose: ‘Earth Is Not Flat!’

But but but, “Do no evil.” Yeah, right, “0xy” seems to say:

 I wonder if these extensions are so hard to spot because spying is a core feature of Google Chrome, and most top extensions do this. … It’s hard to see why Google would care when Chrome was always a Trojan horse to co-opt web standards for their own purposes and to prevent measures taken against invasive tracking and data collection.

Chrome will actively track you on practically every site by sending an identifier to a whitelist including DoubleClick. … Google was sued just this month for tracking users while they were using incognito mode.

Google does not have a good track record with the truth or community goodwill (they stabbed Firefox in the back). It’s an advertising company making billions of dollars specifically from the use of tracking data.

Meanwhile, this Anonymous Coward channels la GOOG:

 Only we are allowed to spy on Chrome users. The rest of you can take a hike!

And Finally:

What indeed?

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Tumisu (via Pixabay)

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and ... Read More
Signal Sciences

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 149 posts and counting.See all posts by richi