Security researchers have recently uncovered two Chrome extensions that have been stealthily monitoring users’ online activities for years. Initially presented as harmless tools for proxy routing and testing network speeds, these extensions were found to be hijacking user traffic and capturing sensitive information. Disturbingly, both were available on Chrome’s official extension store.
Named “Phantom Shuttle,” these extensions targeted trade professionals needing to assess internet connections, marketed as subscription services ranging from $1.40 to $13.60. On the surface, everything looked legitimate, with descriptions and pricing that seemed appropriate.
How Phantom Shuttle Compromises Data
The extensions were designed to reroute all browser traffic through a server controlled by attackers. The malicious code was cleverly concealed within what appeared to be a legitimate jQuery library. Instead of using clear text for sensitive information, the extension employed a unique encoding method to obscure it. Once activated, it monitored user traffic, intercepting HTTP authentication prompts on visited sites.
The extension automatically adjusted Chrome’s proxy settings to ensure all requests went through the attacker’s network. Impressively, it managed traffic from over 170 high-value domains, such as social media, cloud services, and content platforms, avoiding detection by excluding sensitive local networks.
As a man-in-the-middle, Phantom Shuttle could capture anything entered into web forms, including usernames, passwords, personal data, and even session cookies. Google has confirmed that both extensions have since been removed from the Chrome Web Store.
Reviewing Your Extensions
If you’re interested in checking for suspicious extensions on your browser, here’s a straightforward guide applicable for Windows, Macs, and Chromebooks (desktop versions only):
Step 1: Access the Extension List
- Open Chrome on your computer.
- Click on the three-dot menu in the upper right corner.
- Select “Extensions.”
- Then choose “Manage extensions.”
You can also go directly to the extension list by typing chrome://extensions in the address bar.
Step 2: Identify Unknown Extensions
Review the installed extensions and consider the following questions:
- Did you install it?
- Are you actively using it?
- Do you understand its purpose?
If your answer is “no” to any of these, dig a little deeper.
Step 3: Check Permissions
Click on “Details” for any extensions that seem unfamiliar and examine:
- Permissions, especially those that can read or alter data on the sites you visit.
- Site access, particularly those running on all websites.
- Background access, allowing the extension to operate even when not in use.
Step 4: Disable Suspicious Extensions
If something feels amiss, disable the extension without removing it. If everything continues to function well, the extension may not be necessary.
Step 5: Remove Unwanted Extensions
For those extensions you no longer need, simply click “Remove” and confirm when prompted. Unused extensions can pose risks and should be regularly deleted.
Step 6: Restart Chrome
After making adjustments, restart Chrome to ensure disabled or removed extensions don’t remain active.
Protecting Yourself from Malicious Extensions
While you can’t control every aspect of app store security, you can lessen risks by managing your extensions carefully:
1) Install Only When Necessary
Consider the security risks associated with each new extension. Don’t add one unless you truly need its functionality.
2) Verify the Publisher
Stick to developers with a solid reputation, an established history, and known products. Be cautious of offerings from obscure publishers.
3) Review User Feedback
Look for comprehensive, detailed user reviews instead of just star ratings. Be wary of sudden tides of overly positive comments.
4) Understand Permissions Before Installation
Take permission requests seriously. Extensions with broad access to your data should be approached cautiously.
5) Utilize Password Managers
While not a solution to spying extensions, password managers can mitigate damage by using unique passwords that limit access to just one account if compromised. Check if your credentials have faced a past breach to further bolster security.
6) Use Reliable Antivirus Software
Install solid antivirus software that can monitor unusual network activity and unauthorized browser changes. This extra layer helps protect against malware and phishing schemes.
Considering these steps is essential in safeguarding your online activities. Remember, attackers can exploit extensions, making vigilance crucial in ensuring cybersecurity.
