A browser extension is a piece of software that users can install to customise the functionality of a web browser. Browser extensions are handy, but they can also pose serious threats to privacy and security. As an increasing number of people have begun to rely on cryptocurrencies for online transactions, cybercriminals have adapted their tactics accordingly: browser extensions have become an attractive target for hackers looking to exploit unsuspecting crypto users. At the beginning of 2023, Kaspersky observed a two-fold increase in the number of malicious browser extensions, specifically those designed to perform web injects and steal cryptocurrency. There was also a rise in the number of malicious droppers that install harmful extensions on victims’ machines.
A malicious browser extension interferes in browser functionality and mimics legitimate software. It could be difficult to detect by antivirus software. Malicious extensions can alter what the user sees on his/her browser, as opposed to what is actually sent by the server. For example, these extensions can add or remove text, labels, text fields, and other website elements. Malicious extensions can track affiliate IDs, engage in phishing activities and steal credentials, as well as steal cryptocurrency.
For instance, a malicious extension can insert an additional field to a form sent by a crypto wallet server. The purpose of these extra fields (accompanied by supporting labels and instructions) is to dupe the user into entering certain confidential information (e.g., login credentials, credit card numbers, CVVs, PINs, tokens, etc.) even if that information was not being requested by the crypto wallet in the original form.
These malicious extensions often mimic legitimate ones, making it difficult for users to differentiate between safe and harmful add-ons. Once installed, these extensions can inject malicious code into users’ browsers, enabling cybercriminals to steal sensitive information such as private keys, seed phrases for crypto wallets, login credentials and two-factor authentication information.
A post offering a malicious browser extension loader for sale on the Darknet.
“Browser extensions can be installed both from official browser stores (e.g., in Chrome, Firefox) or direct from a file – this is currently available on Windows machines in the most popular browser – Chrome. When installed from outside the official stores, the risk of the extension being malicious increases. Users, especially those who engage in cryptocurrency operations on their Windows machines, should be wary of browser extensions that they install,” comments Sergey Lozhkin, Lead Security Researcher at Kaspersky GReAT.
To be protected, Kaspersky recommends:
- Don’t install too many extensions. Not only do they affect computer performance, but they are also a potential attack vector, so narrow their number to just a few of the most useful.
- Install extensions only from official Web stores. There, they undergo at least some scrutiny, with security specialists filtering out those that are malicious from head to toe.
- Pay attention to the permissions that extensions require. If an extension already installed on your computer requests a new permission, that should immediately raise flags; something is probably going on. That extension might’ve been hijacked or sold. And before installing any extension, it’s always a good idea to look at the permissions it requires and think about whether they match the functionality of the app. If you can’t find a logical explanation for the permissions, it’s probably better not to install that extension.
- Use a good security solution. Kaspersky Premium can detect and neutralise malicious code in browser extensions.