Saturday, 6 September 2014

Malware Can Bypasses Chrome Extension Security Feature Easily


google chrome security
Researchers have uncovered a new social engineering trick that leads users to a malicious extension from Google Chrome impersonating to deliver Adobe’s Flash Player in order to lure victims in a click fraud campaign.
Security experts at TrendMicro believe that the malware is triggered by opening Facebook or Twitter via shortened links provided in any social networking websites. Once clicked, the links may lead victims to a site that automatically downloads the malicious browser extension.
MALWARE INVOLVES DOWNLOADING MULTIPLE MALICIOUS FILES
The process is quite complicated as the malware drops a downloader file which downloads multiple malicious files on the victim’s computer. Moreover, the malicious program also has ability to bypass Google's recent security protection added to Chrome against installation of browser extensions that are not in Chrome Web Store.


Researchers came across a baiting tweet that advertises “Facebook Secrets”, claiming to show videos that are not publicly available, along with a shortened link that is to be clicked in order to get it. Curious users easily fall victim to such campaign and click the given links to download those videos.
What the user totally unaware of is that the file which he downloaded is a malware dropper with the name “download-video.exe”, detected as TROJ_DLOADE.DND, according to fraud analyst Sylvia Lascano of the security firm Trend Micro.
This malicious file then is used to drop additional malware into the victims’ computer, one such is a Chrome browser extension which masquerades as Flash Player, which could be used for more offensive threats designed to steal victims’ credentials for various online services.
MALWARE BYPASSES GOOGLE’S SECURITY POLICY
In order to evade detection, the malware circumvents Google's security policy – which only allows extension installations hosted in the Chrome Web Store – by creating a folder in the browser's directory where it drops “browser extension components.”
FB secret 3
The browser extension components that needs to be loaded are added to Chrome’s extension folder are as follows:
  • manifest.json – contains browser extension description like name, script to load, version, etc.
  • crx-to-exe-convert.txt – contains the script to be loaded, which can be updated anytime by connecting to a specific URL.
After all the data is parsed by the browser in the dropped component manifest.json, the extension is ready to work.

OPEN FACEBOOK OR TWITTER – BE A VICTIM OF CLICK FRAUD
Once installed, if a user visits Facebook or Twitter, the extension quietly opens a specific site in the background that is written in Turkish, which researchers believe is part of a click fraud or redirection scheme.
The site is written in Turkish and phrases such as ‘bitter words,’ ‘heavy lyrics,’ ‘meaningful lyrics,’ ‘love messages,’ and ‘love lyrics’ appear on the page. This routine could be a part of a click fraud or redirection scheme,” fraud analyst Sylvia Lascano of the security firm Trend Micro said in a blog post.
SHORTENED LINK HELPED THREAT ACTORS
By the time researchers discovered the campaign, the tweets promoting the sophisticated malware dropper had been retweeted more than 6,000 times.
Here cyber criminals took help of shortened link in order to victimize a large number of victims because of the fact that the shortened link don’t have visibility of where it directs, and contributes to spreading the campaign.
So, in order to protect your computers against this sort of threats, avoid accessing links from any unknown and suspicious sources.

Related Posts:

  • SIMPLE way to see the password behind asterisks [NO SOFTWARE NEEDED] Tested with Firefox and ChromeAll you need to do is highlight and right click the password field of the target page, and click "Inspect Element".For something like Facebook, here's how it would look: Code: <input… Read More
  • ads free youtube Disable Ads on YouTube With This Simple Command There are a lot of ways to block ads, but with a simple command in the developer console, you can disable all ads on YouTube via an experiment. Google frequently … Read More
  • Top 6 Black Hat Hackers In The World Top 6 Black Hat Hackers In The World There are two types of hackers. First one are good hackers who are known as "white hat" hackers and another one which we will be talking about today are called "black hat" hack… Read More
  • Syslogger [Free] What’s a keylogger ? Keylogger is a program which you will send to your victim and once he/she opens it.It will record all the keystrokes  (i.e what he/she types on keyboard) and then it will send those keystrokes to… Read More
  • Use Keyboard as Mouse Use Keyboard as Mouse  If your mouse is not working and you don't wish to wait till you get a new mouse, you would definitely like to know how you can use your keyboard as your mouse. It is easy to use your mouse as… Read More

0 comments:

Post a Comment