Security researchers have found a Google Chrome extension which steals payment card information and which is still available on Chrome Web Store.
Researchers at Cybersecurity firm ElevenPaths have discovered the malicious extension, which has been active since February 2018. A blog post made by ElevenPaths says, “We have detected an extension for Google Chrome, still active, that steals data from web site forms visited by the victims. This extension, which is still available on Chrome Web Store –the extension market for Chrome– has been active from February 2018. It is hidden within the searches performed on the Web Store, and it can only be accessed through a link that the attackers are spreading by means of JavaScript injection attacks on websites that make them to be redirected to that extension using that link.”
The ElevenPaths blog post explains that the malicious extension, which seems to be a ‘Reader Flash’ created by the supposed developer fbsgang.info, is distributed through the injection method. The extension embeds a simple function within all the websites that a user visits and exploits API functionality webRequest.onBeforeRequest to intercept the user’s form submission.
“This registered function monitors, by means of regular expressions, credit card numbers (if you look at the code you will realize that there are regular expressions for Visa (vvregex), MasterCard (mcregex), etc. That is, in case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request,” reads the ElevenPaths post.
This malicious extension, when detected, had been installed 400 times. Though it’s available on the Chrome Web Store for almost a year now, it has not spread massively as the extension is made public only to those who know the link and is not available through usual searches performed on the Web Store.
The ElevenPaths team explains how it all works- “Instead of targeting victims through searches or massive emailing –which would make this campaign much more successful but at the same time much more ‘detectable’– the attackers have opted for another method. They infect websites (all the webs in the hosting, as observed) using a JavaScript that can detect if the browser is a Chrome one. In such a case, they just redirect to a website indicating the users that they must install Flash, and then they are redirected to that extension.” The users are thus requested to install Adobe Flash or are redirected to the Chrome extension market, specifically to the malicious extension.
ElevenPaths has reported the extension to Google, to get it removed from the Chrome store.
