“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User’s privacy is compromised by this procedure since a log of all clicks is being sent to these third-party intermediary websites,” Avast researchers explained.
The malware on the browser extensions stole people’s personal data such as birth dates, email addresses and active devices.
“The actors also exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location of the user),” the researchers added.
Avast researchers are of the opinion that the objective behind this malware is to monetise the traffic. They also believe that while the Avast Threat Intelligence team had started monitoring the threat in November 2020, the malware in Google Chrome and Microsoft Edge browser extensions could have been active for years without anyone noticing.
“The extensions’ backdoors are well-hidden and the extensions only start to exhibit malicious behavior days after installation, which made it hard for any security software to discover,” said Jan Rubín, Malware Researcher at Avast.
The blog was published on December 16 and researchers mentioned in it that the infected extensions were still available for download at the time of publishing.