These Browser Extensions You’ve Used For Years May Now Be Spying On You
In the time since, security researchers at LayerXSecurity have discovered 17 additional extensions that follow the scheme of DarkSpectre's "GhostPoster" campaign of spyware extensions. We've listed the identified extensions below, and combined they've racked up an additional 840K installs across Chrome, FireFox, and Edge. The research also indicates an evolution in DarkSpectre's tactics, "suggesting ongoing experimentation and adaptation" to attempts by researchers and security software to uncover and remove these extensions.
The good news is that the offending extensions have been reported to Microsoft, Google, and Mozilla, and removed from those respective extension web stores. The bad news is that this does not automatically remove the extensions from your computer, and many infected users may still be infected without their knowledge.
Compromised Extensions
- AdBlocker
- Ads Block Ultimate
- Amazon Price History
- Color Enhancer
- Convert Everything
- Cool Cursor
- Floating Player — PiP Mode
- Full Page Screenshot
- Google Translate In Right Click
- Instagram Downloader
- One Key Translate
- Page Screenshot Clipper
- RSS Feed
- Save Image to Pinterest on Right Click
- Translate Selected Text with Google
- Translate Selected Text with Right Click
- Youtube Download
The initial discovery of the malicious extensions stems from LayerXSecurity in a deep-dive on the coding and scale of these attacks, but Malwarebytes has also covered this further development in the DarkSpectre story and recommended its Deep Scan functionality for finding these and other malicious extensions on your machine.
As always, the war against spyware and other forms of malware operates on multiple fronts and requires due diligence from modern internet users—but especially power users more likely to install extensions and applications that could be compromised like this.
Image Credit: LayerXSecurity
