A new report published late last night states that a newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, according to researchers at Awake Security. This highlights the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.
Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.
Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.
Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.
Golomb added that the extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains.
It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.
Former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security stated for the report that "Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime."
While deceptive extensions have been a problem for years, they are getting worse. They initially spewed unwanted advertisements, and now are more likely to install additional malicious programs or track where users are and what they are doing for government or commercial spies. For more on this read the full Reuters report.