From blocking ads and coin miners to saving news stories for later reading, browser extensions allow users to customize their web browsers for convenience, efficiency, and even privacy and security — usually for free. However, browser extensions need a wealth of access permissions to operate, including things like browsing history, website content, even login credentials. Because extensions aren’t applications in their own right — they run inside web browsers — antivirus software generally cannot detect malicious extensions. These innate vulnerabilities, along with their popularity, make browser extensions a very attractive target for cyber criminals, who attack on two fronts, by developing their own, malware-infested extensions or by hijacking legitimate extensions.

Born to be bad: malicious browser extensions

Some extensions are designed to be malicious. Most of the time, they seek to steal login credentials and other sensitive information. For example, a Medium blogger recently reported on a malicious Google Chrome extension called “CCB Cash,” which purported to give users up to 5% cash back on all of their cryptocurrency transactions. In actuality, CCB Cash did nothing but steal login credentials and cryptocurrency. Google has since removed CCB Cash from its extension store, but not before the hackers behind it managed to make off with 23.23550279 BTC, or a little over $81 million.

Other malicious extensions install adware that redirects user searches to affiliate pages that the developers earn money from; a variant on this scheme replaces legitimate search engine ads with affiliate ads. Sometimes, extensions will redirect users to phishing sites or sites that contain drive-by downloads.

CCB Cash, with its outrageous promises of 5% cash back on practically everything, was an excellent example of the old adage, “If it sounds too good to be true, it probably is.” However, not all malicious browser extensions display obvious red flags. Just like malicious mobile phone apps, many of them disguise themselves as legitimate tools, such as a PDF reader or a VPN. The malicious extension may also impersonate a popular legitimate extension, even going so far as to stuff keywords so that their extension appears near the top of the browser’s extension store. Last year, over 20 million users installed phony ad blocker Chrome extensions before Google removed them.

Good extensions gone bad

Sometimes, hackers don’t bother coding their own extensions; they just hijack legitimate ones. There are several ways to accomplish this:

A new trojan called Razy, which spoofs searches to steal cryptocurrency, ups the ante by compromising the browser itself, installing malicious extensions, then infect already installed, legitimate extensions by disabling browser updates and extension integrity checks.

Protecting yourself from malicious extensions

There are a few ways to protect yourself from malicious browser extensions:

* Only install extensions you actually need and will use.
* Periodically review your installed extensions. Uninstall extensions that you no longer use or that you do not recognize.
* Vet extensions before you install them. Visit the developer’s website. Read the description and the reviews. Beware if the description is riddled with spelling and grammar errors, or if the extension is relatively new but has a lot of reviews, every single one of them five-star and very similarly worded.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.