Malicious browser extensions have been a big issue in the past couple of years. One should not confuse outright malicious extensions with adware or toolbars even though they are related to some extend.
The core difference between those groups of extensions is that malicious extensions go beyond displaying ads, leaking information about a user's browsing behavior or being plain annoying.
Browser makers such as Google or Mozilla have invested time and money in methods to protect users from potentially unwanted extensions.
Google for instance created a new policy for Chrome recently that prevents the installation of extensions in the browser if those extensions are not listed in the Chrome Web Store.
While only valid for Chrome Stable and Beta versions on Windows, it supposedly protects users running those versions of the browser from falling prey to malware attacks.
There are manual ways around this protection so that Stable and Beta users can install extensions not available on the official Chrome Web Store.
The real problem is however that malware attacks can still attack the Chrome browser and add extensions to the browser even though that should not be possible anymore due to the protection feature.
Trend Micro discovered a new malware attack recently that targeted Chrome users. The attack started on Twitter were a user tweeted "Download this Video. Facebook Secrets . Link".
The link led to a specifically prepared page that downloaded an exe file to the user's computer automatically. When executed, it started to download additional files to the system and among the things it downloaded was a browser extension for Chrome.
The malware creates a new folder in Chrome's directory on the system and places browser components inside of it. Chrome parses the information automatically and adds it to the browser.
The interesting aspect here is that the extension gets added automatically to Chrome. There does not seem to be a prompt to inform the user about the new extension and it is not blocked automatically by the browser as well.
The attack has been designed to work on Windows machines only but the extension installation itself could work on non-Windows systems as well.
The only protection against this type of attack is to avoid the urge to click on links from unknown sources that promise something (interesting).
The click on the link is not the only step required in the attack though as the exe file itself won't do anything on its own. It is still necessary for the user to click on it and that antivirus solutions that run on the system don't block it from executing.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.