Malicious browser extensions have the ability to change into legitimate-looking password managers and digital wallets, stealing valuable user information. Major browsers, including Chrome and Edge, are impacted.
As if the security landscape wasn’t complicated enough, a new class of malicious extensions, with the ability to mimic legitimate services, was recently discovered.
Researchers at SquareX uncovered an intricate attack chain that starts with users unwittingly installing a malicious extension. For example, an AI tool that, at first, acts as advertised – performing in-browser tasks that users prompt it with.
The sneaky part is that as long as the extension is installed, it scans for what other extensions users have installed. Once the malicious extension discovers something that interests attackers, it starts changing its appearance to look exactly like the target.
This type of behavior earned the malicious extensions the name “polymorphic.” Worryingly, whoever designed the malware did a really good job, as SquareX researchers claim the extension’s makeover is convincing to the point where it’s hard to distinguish which is which.
A polymorphic extension changes its icon and adjusts its interface and text to mimic a password manager’s or digital wallet’s browser extension. Since users often rely on the extension icon to know which extension they’re operating, attackers can easily dupe them into revealing sensitive details.
The attack even disables the legitimate extension so that there’s suspicion-raising extension icon doubling.
From the user’s perspective, they click on a trusted service that opens a recognizable box on their browser. Nothing’s out of the ordinary. The victims see an all-too-common notification that they’re logged out of their password manager and are required to submit details.
However, once the victim enters, let’s say, their master password, attackers can use it to unlock their entire password vault. The situation gets even worse if the targeted app is a digital wallet.
According to the researchers, attackers target the most sensitive apps, such as developer tools, banking extensions, password managers, and other tools that would allow cybercrooks to steal victims’ funds.
Interestingly, malicious browsers don’t even appear on browsers’ security radar. That’s because they only need medium-risk permissions, similar to the ones that legitimate extensions require.
The worst part is that polymorphic extensions exploit a legitimate functionality of the Chrome browser, which means that there’s no patch to remedy the issue. SquareX believes the issue is not fixable because it is not a software problem, and there’s no vulnerability to fix.
Your email address will not be published. Required fields are markedmarked