- Russian hackers sell Chrome extension service that bypasses Google Store moderation
- Malicious plugin spoofs legitimate sites with full-screen iframes to steal credentials
- Varonis recommends strict lists of authorized companies and consumer outreach audits for added protection
Russian hackers are selling a service that allows other criminals to spoof legitimate websites, tricking victims into exposing their login credentials, or possibly even making fraudulent bank transfers.
A threat actor alias ‘Stenli’ (Stanley) recently started offering a service that basically guarantees that a malicious Chrome extension will “pass Google Store moderation” and land in the browser’s add-on repository.
But such great promise also comes with a hefty price tag: between $2,000 and $6,000.
Push notifications galore
In their in-depth analysis, security researchers Varonis explained that the plugin works by covering legitimate websites with a full-screen iframe that displays personalized phishing content.
The address bar, however, remains intact. Therefore, victims can visit a legitimate website, like Coinbase, for example, but the real site will be hidden behind a full-screen iframe that spoofs Coinbase and steals login credentials.
To make matters worse, the plugin can also send push notifications. These will appear as if they come directly from the Chrome browser (which, technically, they are), giving the hack more credibility and making it even harder to detect the attack.
Typically, cybersecurity experts will advise users to ensure security by only installing plugins from trusted sources. The guarantee of malware being smuggled into the Chrome Web Store makes the usual advice “insufficient,” Varonis said.
Instead, companies should focus on strict allowlists, it said: “Chrome Enterprise and Edge for Business allow administrators to block all extensions except those explicitly approved. This approach requires more overhead (maintaining an approved list, evaluating new requests, handling exceptions) but prevents threats that escape the store’s moderation.”
On the other hand, consumers are advised to periodically audit installed extensions and remove anything that is not being overused. Paying attention to permission requests is also a great way to detect malware – any extension that requests access to “all websites” or “browsing history” should be closely scrutinized.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
