{"id":41665,"date":"2020-12-17T15:25:57","date_gmt":"2020-12-17T15:25:57","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=3061221307a36a3079a51c4718d59b75"},"modified":"2020-12-17T15:25:57","modified_gmt":"2020-12-17T15:25:57","slug":"malware-found-on-popular-facebook-instagram-and-vimeo-browser-extensions","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/malware-found-on-popular-facebook-instagram-and-vimeo-browser-extensions\/","title":{"rendered":"Malware found on popular Facebook, Instagram and Vimeo browser extensions"},"content":{"rendered":"


\n Rene Millman<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
17 Dec, 2020<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

Malware<\/a> hidden in at least 28 third-party Google<\/a> Chrome<\/a> and Microsoft Edge extensions has\u00a0been discovered by security researchers.<\/p>\n

The malware has the functionality to redirect user\u2019s traffic to ads or phishing sites and to steal people\u2019s personal data, such as birth dates, email addresses, and active devices, according to a report released by cybersecurity firm Avast.<\/p>\n

Researchers have said that up to three million users could be affected by the malware.<\/p>\n

The malware in question masquerades as legitimate\u00a0extensions that\u00a0help download videos from Instagram<\/a>, Facebook<\/a>, Vimeo, and other social platforms. The researchers have identified malicious code in the JavaScript-based<\/a> extensions that allow the plugins\u00a0to download further malware onto a user\u2019s PC.\u00a0<\/p>\n

The threat was first spotted last month, but researchers believe the extensions could have been active for years without anyone noticing.<\/p>\n

Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites.\u00a0Anytime a user clicks on a link, the extensions send information about the click to the attacker\u2019s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit.<\/p>\n

\u201cThe actors also exfiltrate and collect the user\u2019s birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user),\u201d the report said.<\/p>\n

Researchers added that the objective behind this is to monetize the traffic itself. For every redirection to a third-party domain, the cyber criminals would receive a payment. Nonetheless, the extension also has the capability to redirect users to ads or phishing sites.<\/p>\n

\u201cOur hypothesis is that either the extensions were deliberately created with the malware built-in, or the author waited for the extensions to become popular, and then pushed an update containing the malware. It could also be that the author sold the original extensions to someone else after creating them, and then the buyer introduced the malware afterwards,\u201d said Jan Rub\u00edn, malware researcher at Avast.<\/p>\n

At this moment, the infected extensions are still available for download. Avast has contacted the Microsoft and Google Chrome teams to report them. Both Microsoft and Google confirmed they are currently looking into the issue. Users are recommended to disable or uninstall the extensions for now until the problem is resolved.<\/p>\n

Extensions mentioned in the report, many of which are still available to download, include:\u00a0Direct Message for Instagram, DM for Instagram,\u00a0Downloader for Instagram, App Phone for Instagram, Universal Video Downloader, Vimeo Video Downloader, Volume Controller, Spotify Music Downloader, and Video Downloader for YouTube. <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Rene Millman<\/p>\n

17 Dec, 2020 <\/p>\n

Malware hidden in at least 28 third-party Google Chrome and Microsoft Edge extensions has\u00a0been discovered by security researchers.
\nThe malware has the functionality to redirect user\u2019s traffic to…<\/p>\n","protected":false},"author":417,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-41665","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/417"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=41665"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41665\/revisions"}],"predecessor-version":[{"id":41666,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/41665\/revisions\/41666"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=41665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=41665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=41665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}