Visitinga website is a standard task for any user that uses the internet. The primary tool for viewing or visiting a website is called a web browser. A web browser allows web pages to render and display a multiplicity of elements such as graphics, text, dynamic content, video, advertisements, etc. Often times there are ‘plugins’ or ‘extensions’ that allow users to execute certain actions in a quick and efficient manner.
Figure shows ad-block extension for chrome.
As these extensions have become popular so has the attention of malicious actors shifted towards them, in many cases providing an effective mean to compromise very large number of victims.
One of the features of this attack vector is that victims may actually use the malicious browser extension functionality but in the background of these ‘useful’ or ‘neat’ functionalities there are might be a number of malicious operations being performed
This happens as browser extensions usually run under user’s session privileges, allowing escalation of privileges and many post exploitation payloads such as keylogging, access to video and audio, download malicious files, use computing power resources and establish persistence at compromised host.
Recent reports indicate the use of this attack vector adding very popular cryptocurrency mining payload. In our latest threat advisory, we outline the different ways attackers can deliver malicious browser extensions, proof of exploitation, detection and defense measures against this type of attack vector.
To access the in-depth Threat Advisory, click here.