A malicious Google Chrome spreading punishes users who search for certain keywords by redirecting them to a tech beam scam.
Attackers introduce users to the rogue extension via a malvertising rivalry. Most of the time, malicious adverts redirect users to an exploit kit that positions ransomware or other baddies. In this case, the advertisement leads a alcohol to a web page that plays an interminable loop of fullscreen modes. Their but option is to install the extension if they wish to leave.
This span is designed to achieve a level of persistence on a victim’s machine. As Malwarebytes pave malware intelligence analyst Jérôme Segura explains in a blog proclaim:
“Once installed, this extension ensures it stays in hiding by using a 1×1 pixel materialization as its logo (note the blank space on the top right next to the Chrome menu from the vitality below) and by hooking chrome://extensions and chrome://settings such that any try to access those is automatically redirected to chrome://apps. That grasps it much more difficult for the average user to see what extensions they induce, let alone uninstalling one of them.”
Such cover helps the extension execute its primary rites. First, similar to the Webpage Screenshot extension discovered in 2015 and the add-on secretly bullyragged out by Adobe Acrobat in early 2017, it collects information and sends all information back to a location of its choosing.
Second, and by far much worse, it’ll look for incontrovertible keywords in the URL to determine whether it should trigger redirection/blocking techniques. For exemplar, if a user attempts to visit the Malwarebytes website, the extension will redirect them to a potentially unwanted program (PUP) or get-rich-quick projection. Certain keywords will even trigger a redirect to a fake Microsoft tech bolster warning.
Given this threat, Segura recommends owners adopt a realistic viewpoint of Chrome extensions:
“Google Chrome spreads are very powerful programs which are extremely useful in extending the browser’s capabilities, but can also be old for malicious purposes. Unfortunately, it is way too easy for online crooks to trick people into placing their malicious extension.”
Google has removed the rogue extension from its trust in as of this writing.