Cybersecurity researchers at ReasonLabs have discovered the presence of three fake Chrome extensions that are masquerading as VPNs. While it's easier to get fooled by the ads on the internet, the same goes with web browser extensions that you mindlessly download on your PC.

According to the latest report, this new security incident has already affected more than 1.5 million users globally.

Deceptive Origins of Fake Chrome Extensions

(Photo: Rubaitul Azad from Unsplash)
The latest research from ReasonLabs, a cybersecurity firm, revealed that fake Chrome extensions disguised as VPNs steal computer data.

Disguised as VPNs, the malicious extensions, namely netPlus (1 million installs), netSave, and netWin (500,000 installs), infiltrated users' browsers through an installer concealed within pirated copies of popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4. These infected game copies are distributed through torrent sites, posing a significant risk to unsuspecting users.

With a primary focus on Russia and neighboring countries such as Ukraine, Kazakhstan, and Belarus, the malicious campaign strategically targets Russian-speaking users. This geographic concentration emphasizes the cybercriminals' intent to exploit specific regions.

Related Article: Fake 'ChatGPT for Google' Chrome Extension Reportedly Steals Facebook Accounts

Automated Infections: Silent Takeover on Registry Level

According to Bleeping Computer, the infection process is automated and forced, occurring at the registry level without any user interaction or requirement. The installer, ranging from 60MB to 100MB in size, leverages over a thousand distinct torrent files to deliver the malicious payload, facilitating widespread distribution.

Mimicking Legitimate VPN Services

To create a façade of authenticity, the malicious extensions employ a realistic VPN user interface, complete with some functionality and a paid subscription option. This deceptive approach aims to trick users into believing they are using legitimate VPN services, adding a layer of complexity to the cyber threat.

Exploiting Access to DOM and Browser Functions

Code analysis reveals the malicious extensions' extensive permissions, including access to "tabs," "storage," "proxy," "webRequest," and more. Notably, the abuse of the 'offscreen' permission enables the malware to run scripts through the Offscreen API, clandestinely interacting with the web page's current DOM. This heightened access allows the extensions to execute various malicious activities.

The malicious extensions go beyond conventional threats, engaging in data theft, browsing hijacks, and even disabling other installed browser extensions. This multifaceted approach allows cybercriminals to manipulate web requests, compromise user data, and eliminate competition by disabling cashback and coupon extensions.

A Call to Vigilance and Routine Checks

Clearly, ReasonLabs wants the users to be careful when using web browser extensions. The recent critical issue only shows that your data can be compromised even without your knowledge.

As part of the precautionary measure, users are urged to routinely inspect installed extensions, seeking new reviews in the Chrome Web Store to identify and report malicious behavior. The obfuscation of extension behavior necessitates proactive measures to safeguard against evolving cyber threats, ensuring a secure browsing experience for all.

For more reports about Google Chrome, just click here.

Read Also: Beware of Fake Hotel Reservations: MrAnon Stealer Phishing Scam Steals Data Through PDF Links