A chrome extension that still available on Chrome Web Store steals the payment card information from website forms visited by the users.
The extension found to be active form February 2018, and the extenstion hidden from regular searches and will be available only through the link that attackers use to spread.
Malicious extension named Reader Flash distributed through injection method, attackers use to infect websites with malicious javascript which detects the browser used by victims and indicates to install flash and redirect them to download the extension.
According to Elevenpaths analysis, the extension embeds simple function to all the websites visited by the user and exploits API functionality webRequest.onBeforeRequest and intercept the user’s form submission.
The injected scripts regularly monitor credit card numbers by having regular expressions in the code for Visa (vvregex), MasterCard (mcregex), etc.”In case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request.”
Reader Flash extension found installed more than 400 times and the extension will be available only through the link and not through commom search.”The infrastructure has not been massively spread so far.”
The extension has been reported by Elevenpaths to Google to remove the extension from the Chrome store.
Also Read
Mega vs Dropbox: Most Important Cybersecurity Consideration in the Cloud
