Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malicious Browser Extension. Show all posts
Malwares
browser credential theft Browser Extension Cyber Attacks Login Credentials Malicious Browser Extension Malware attacks Malwares

New Malware Impersonates Browser Extensions to Steal Login Credentials

 

Cybercriminals are continually evolving their tactics to evade antivirus detection and trick users into installing malicious software. One of the latest threats involves malware that impersonates legitimate browser extensions, allowing attackers to steal login credentials while remaining undetected. Although this discovery is concerning, researchers have identified the vulnerability before it could be widely exploited, giving security teams time to respond. 

According to a report by SquareX Labs, this attack starts with scammers developing seemingly useful browser extensions, such as an AI-powered transcription tool. To avoid malware detection, they distribute the extension outside official platforms like the Chrome Web Store or Google Play. Users are then encouraged to pin the extension for easy access, allowing it to quietly monitor their browsing habits over time. 

Once installed, the malicious extension collects data on the user’s existing extensions, particularly those used for handling sensitive information, such as password managers. When the right opportunity arises, it disables the legitimate extension and replaces its icon with an identical version. If the user attempts to access their password manager, they unknowingly interact with the fake extension instead. 

To further deceive users, the fraudulent extension displays a message stating that their session has expired, requiring them to log in again. However, rather than accessing their accounts, victims unknowingly submit their credentials directly to cybercriminals. With this information, attackers can break into password vaults, gaining access to sensitive data, stored passwords, and linked accounts. This method is particularly dangerous because it exploits trust in well-known extensions. 

Unlike traditional phishing attempts, which rely on fake websites or deceptive emails, this attack leverages the user’s own browser environment, making it harder to detect. Victims may not realize they’ve been compromised until they notice unauthorized activity on their accounts. Despite the sophistication of this attack, there is no immediate reason for panic. Security researchers identified the exploit before cybercriminals could widely deploy it, and browser developers have been alerted to the risk. 

However, this incident underscores the importance of practicing good cybersecurity habits. Users should only install browser extensions from trusted sources like the Chrome Web Store, avoid third-party downloads, and check reviews before installation. 

Additionally, enabling multi-factor authentication (MFA) on important accounts can provide an extra layer of security, reducing the risk of credential theft. As cyber threats continue to evolve, staying informed and cautious about software installations remains crucial to maintaining online security.
Read more »
Two Factor Authentication
Chromium Browser Cryptocurrency Fraud Malicious Browser Extension malware Rilide Malware Trustwave SpiderLabs Two Factor Authentication

Rilide Malware: Hackers Use Malicious Browser Extension to Bypass 2FA and Steal Crypto


Trustwave SpiderLabs security researchers have recently discovered a new malicious browser extension, named Rilide, targeting Chromium-based browsers like Google Chrome, Brave, Opera, and Microsoft Edge. 

The malicious activities include monitoring browsing history, taking screenshots and stealing cryptocurrency through scripts injected into websites. Rilide impersonated benign Google Drive extensions to remain undetected while abusing built-in Chrome features. 

The cybersecurity company also found another operation that loaded the extension using a Rust loader by leveraging Google Ads and the Aurora Stealer. 

While the origin of the malware is still unknown, Trustwave reports that it shares similarities with extensions that are sold to cybercriminals. In addition, due to a dispute between hackers over an unsolved payment, some of its code was recently disclosed on a dark web forum. 

Hijacking Chromium-based Browsers 

Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system. When the malware is executed, a script attaches a listener to monitor when the victim switches tabs, receives web content, or finishes loading a page. It also monitors if the current site matches a list of targets available from the command control (C2) server. 

If there is a match, the extension loads extra scripts that are injected into the webpage to steal the victim's cryptocurrency and email login information, among other details. Additionally, the extension disables the browser's "Content Security Policy," a security measure intended to guard against cross-site scripting (XSS) attacks to freely load external resources, usually restricted by the browser. 

Bypassing Two-factor Authentication 

Another interesting attribute of Rilide is its 2FA-bypassing system, used in producing bogus dialogs to lure victims into entering their temporary codes. The system is triggered once the victim has submitted a request for a cryptocurrency withdrawal to one of the exchange services that Rilide targets. 

Right when the script needs to be injected into the background to process the request automatically, malware enters the picture. Once the user has entered the code on the fake dialog, Rilide utilizes it to complete the withdrawal process to the hacker’s wallet address. 

“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser[…]The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code,” the Trustwave report explains. 

This way, Rilide has highlighted the growing threat possessed by malicious browser extensions, which now include live monitoring and automated money-stealing systems. 

How can You Protect Yourself From Malicious Browser Extensions?

In regards to the issue, Trustwave SpiderLabs noted that Google enforcing Manifest V3 might aid in making it difficult for the threat actors to use malicious extensions to organize attacks. However, it would not solve the issue entirely as “most of the functionalities leveraged by Rilide will still be available,” the researchers added. 

In order to protect yourself, it has been advised to use the best antivirus software, that would help in preventing your system from getting infected or having your data compromised. Similarly, a good identity theft protection service can help restore your stolen identity or funds stolen by hackers. 

Moreover, when installing new browser extensions, one must only rely on using trusted sources such as Chrome Web Store or the Microsoft Edge Add-ons store.  

Read more »
Subscribe to: Posts (Atom)