A new malware service promises to skip Google's review process and get your malware straight onto the Chrome Store

News
By published

The malware can even spoof entire websites

Google Chrome app is seen on an iPhone next to Edge and other web browser apps. Microsoft is using new prompts in Edge to try and stop users from downloading Chrome.
(Image credit: Tada Images / Shutterstock)
  • Russian hackers sell Chrome extension service that bypasses Google Store moderation
  • Malicious add-on spoofs legitimate sites with full-screen iframes to steal credentials
  • Varonis advises strict enterprise allowlisting and consumer extension audits for protection

Russian hackers are selling a service that allows other criminals to spoof legitimate websites, tricking victims into exposing login credentials, or possibly even making fraudulent wire transfers.

A threat actor alias ‘Stenli’ (Stanley) recently started offering a service which basically guarantees that a malicious Chrome extension will “pass Google Store moderation” and land in the browser’s add-on repository.

But such a big promise also comes with a hefty price - anywhere between $2,000 and $6,000.

Push notifications galore

In its in-depth analysis, security researchers Varonis explained that the add-on works by covering legitimate websites with a full screen iframe that displays tailor-made phishing content.

The address bar, on the other hand, remains intact. Therefore, victims might visit a legitimate website, such as Coinbase, for example, but the actual site will be hidden behind a full screen iframe that spoofs Coinbase and steals login credentials.

To make matters worse, the add-on can send push notifications, too. These will appear as if they’re coming straight from the Chrome browser (which, technically, they are), lending further credence to the trick and making it even harder to spot the attack.

Usually, cybersecurity experts will advise users to ensure safety by only installing add-ons from reputable sources. The guarantee of having malware smuggled onto the Chrome Web Store makes the usual advice “insufficient,” Varonis said.

Instead, enterprises should focus on strict allowlisting, it said: “Chrome Enterprise and Edge for Business let administrators block all extensions except those explicitly approved. This approach requires more overhead (maintaining an approved list, evaluating new requests, handling exceptions) but it prevents threats that slip past store moderation.”

Consumers, on the other hand, are advised to periodically audit installed extensions and remove anything that is not being excessively used. Paying attention to permission requests is also a great way to spot malware: any extension asking access to “all websites” or “browsing history” should be thoroughly analyzed.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.