If You’ve Installed Any of These 17 Browser Extensions, Remove Them Now.

Posted on by

A new wave of malicious extensions capable of tracking users’ activities and violating their privacy has been discovered in Chrome, Firefox, and Edge browsers; some of them may have been active for up to five years.

The campaign, known as GhostPoster, was discovered by Koi Security in December and involved 17 Firefox extensions designed to track user activity in the browser. The attackers injected malicious JavaScript code into the extension’s PNG logo, which served as a malware downloader to retrieve the main payload from a remote server. Researchers at LayerX discovered 17 more malicious extensions across various browsers, which had been installed more than 840,000 times.

The ongoing GhostPoster malware campaign

According to a LayerX report, GhostPoster initially attacked Microsoft Edge and then spread to Chrome and Firefox. Malicious add-ons may have been active as early as 2020 and include the following:

You may also like

  • Google Translate in right click

  • Translate the selected text using Google

  • Ads Block Ultimate

  • Floating player – picture-in-picture mode

  • Transform everything

  • Download from YouTube

  • One-key translation

  • Ad blocker

  • Save an image to Pinterest by right-clicking

  • Instagram downloader

  • RSS feed

  • Cool cursor

  • Full-page screenshot

  • Amazon Price History

  • Color enhancer

  • Translate the selected text by right-clicking

  • Page Screenshot Clipper

The “Google Translate in Right Click” add-on alone was installed 522,398 times. The next most popular was “Translate Selected Text with Google,” with 159,645 installs. Researchers also found a more sophisticated version of this campaign in “Instagram Downloader,” which was installed 3,822 times.

What do you think at the moment?

GhostPoster malware has built-in evasion protections—for example, activation is delayed for 48 hours, and it only communicates with remote attack servers under certain conditions. However, once installed, GhostPoster’s extensions can intercept affiliate traffic (and redirect commissions to the attackers), remove and inject HTTP headers to weaken security, bypass CAPTCHA, and inject iframes and scripts for click fraud and user tracking. The only relatively good news is that the malware doesn’t harvest credentials or engage in phishing.

While malicious extensions can no longer be installed in Chrome, Edge, and Firefox, users who have them installed should remove them immediately, as they remain active until explicitly removed.

More…

Tech

Leave a Reply