Up To 3 Million Devices Infected By Malware-Laced Chrome and Edge Add-Ons (arstechnica.com) 17
As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer.
In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."
The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.
In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."
The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.
Facebook and Google are doing it without a plugin (Score:3, Funny)
So what is all the fuss about?
Re: (Score:3)
Indeed, it's called "Chrome". I didn't know Facebook made a browser though.
Re:Facebook and Google are doing it without a plug (Score:4, Informative)
Seriously. Google, Microsoft, and Facebook are all in the data-mining business anyway. It's not as if this malware is infecting something pristine.
That's not to say it shouldn't be aggressively dealt with, mind you. No need to add insult to injury. But realistically, the software the malware infects is already violative of users' privacy, as is Win10 itself. I suspect that more data is mined by the combination of the Win10 OS and the uninfected browser than by the extensions.
useless bullshit (Score:3)
aka "marketing".
never buying hardware that could support alternate OSs, but doesn't
next phone will be the dumbest one i can find
so tired of half baked software and pointless pseudo updates
what's the point of advertising "four versions"?
is the hardware of the samsung s6 so fucking slow compared to a similarly priced current phone from samsung, that it can't run the latest android? Or is it because they need us to buy new hardware as often as possible?
why can a fifteen year old computer, with their *uncountable* hardware configurations run the latest OSes, from microsoft and the OSS community, but a 4-5 year old phone with *very specific* hardware can't?
Re: (Score:1)
Yeah, I hate when I do that.
Re:useless bullshit (Score:4, Funny)
my incompetence is limited by this mortal shell
Re: useless bullshit (Score:2)
Frankly, what we need is a pocket-sized version of the "IBM-compatible" platform back in the days.
A skeleton bus + meat modules + skin ruggedness design. With an open spec for the spine and meat bits. (Skin is trivial.)
And all the usuals available from several manufacturers.
SoC, keyboard, screen, storage, battery, external connectors, antennas, sensors, camera.
But what it needs is a unique killer feature that can only be enabled by that, and is attractive to even Google humAnoidroids complete iTards who can
Re: (Score:3)
https://www.fairphone.com/ [fairphone.com]
Size constrains. (Score:2)
Frankly, what we need is a pocket-sized version of the "IBM-compatible" platform back in the days.
A skeleton bus {...}
The problem is that "pocket-sized" requires miniaturisation which in turn require ultra high integration,
whereas standardized bus and modular architecture need to be spread out.
It's like wanting the Raspberry Pi SBC *itselff* being modular (e.g.: swapping ram modules, onboard USB hub and network) as opposed to be able to talk to external modules.
With phones:
A lot have tried, very little have succeeded:
- Fairphone managed to pull it of, and even there, the modules are very custom and not industry standard as
opensource-friendly phones (Score:2)
never buying hardware that could support alternate OSs, but doesn't
next phone will be the dumbest one i can find
You might have a look at the Pine64's PinePhone, which not only has a low-ish price, but in addition has been designed with opensource (runs on mainline kernel) and community in mind.
why can a fifteen year old computer, with their *uncountable* hardware configurations run the latest OSes, from microsoft and the OSS community, but a 4-5 year old phone with *very specific* hardware can't?
Because of - as Mac hardware users are going to discover in the coming years of Apple silicon (M1 and its future descendant):
Lack of standard.
Your fifteen year old computer follows some very standard way to organise everything (UEFI or BIOS firmware, ACPI, standard discoverable PCI/PCIe bus, etc.)
take any standard compliant Lin
Mmmmhhh... malware-laced malware! (Score:2)
So ... Chrome with little bits of Chrome inside?
*Homer drool*
Re: (Score:1)
Yo dawg, I heard you like malware in your malware, so I put malware in your malware in your malware.
firefox... ok (Score:2)
I use Mozilla firefox..
why should I give a shit?
Re:firefox... ok (Score:5, Informative)
Re: (Score:2)
Those vulns are a bummer, but they are fixed in the current [stable] version...