Malicious Extensions Can Hijack Your Internet BrowserExtensions are a convenient way to add functionality to your web browser, but recently, they’ve been targeted by hackers as a weak point in cybersecurity. Security firm ICEBRG recently found that over half a million users and businesses were infected by a handful of malicious Google Chrome extensions that used their computers to commit fraud, and these extensions could easily be modified to act as launchpads for full-scale cyberattacks. With browser extensions developing as a vector for attack, we’ve broken down the capabilities and signs of browser extension malware, as well as how you can protect yourself from it. To learn more, read on.

What can browser extension malware do?

Malicious browser extensions can gain control over your Internet browser to accomplish a variety of different goals, all of which are designed to make the extension developer money. They can make your browser visit websites or YouTube videos to farm clicks while you aren’t using it. They could serve you malvertisements and redirect you to shady websites, where your computer can become even more infected. Some of them, such as the recently discovered Droidclub family of extensions, can even record all of your web browsing sessions and collect your personal data, such as passwords and financial information, from them.

These functions are quite similar to more traditional kinds of malware, but malicious browser extensions have two factors that make them even more dangerous. The first is that, since they operate by taking control of your browser from the inside, they can easily be overlooked by antivirus programs, operating system security and even users because browsers are trusted programs. The second is that they update automatically with little oversight, so an unethical company can buy up an innocent extension you have installed and update it with malicious features. Clever hackers can also develop legitimate extensions, wait until they gain a number of users and a level of trust, and then add in the nasty aspects later.

Signs your browser is infected

While not all corrupted browser extensions exhibit obvious behavior, malvertising and click-farming extensions are the easiest to spot. Randomly being redirected to websites while surfing the Internet, and seeing ads on a website that doesn’t normally serve ads, such as Wikipedia, are telltale signs of malvertising, and checking your browser’s history can alert you to click-farming, as they tend to log visits to strings of strange websites and YouTube videos. For Chrome users, being redirected after attempting to visit your extensions folder can be another sign of infection. A recently discovered extension malware dubbed “Tiempo en colombia en vivo” redirected users to an altered extensions folder in an attempt to hide itself, and it’s possible that future forms of extension malware will try to use this trick as well.

How to avoid browser extension malware

As mentioned above in the Tiempo example, malicious browser extensions can be extremely difficult to get rid of. Just uninstalling them from your browser’s extension menu may not do the trick, as some are designed to display fake uninstallation pages while remaining on your computer. Using an anti-malware software, such as Malwarebytes, may be able to get rid of them, but if that doesn’t work, your best bet is to report the issue to your browser’s company, and then use a different browser while you wait for them to fix the issue. You may be waiting for a while — it took Google 19 days to remove Tiempo once a security researcher reported it — but it’s better than having your identity stolen.

Trying to avoid bad extensions completely is probably the safer option, but that carries its own set of challenges. Some websites will try to force you to install an extension by using pop-up messages to not let you leave the page until you accept the download. Fake extensions, similar to fake apps, also exist, copying the names and logos of popular extensions to try and trick people into downloading them. To stay safe, only download browser extensions through official marketplaces like Firefox Add-ons and the Chrome Web Store, and vet the developer by checking how many users the extension has (user numbers under 100,000 is suspicious) as well as the developer’s past history. Every month, look through your browser extensions and make sure you can account for each one. If you don’t remember downloading something, remove it and run a scan with an anti-malware program just to be safe.

Though the most browser extension attacks happen on Google Chrome, that’s only because Chrome is the most popular Internet browser. The truth is, every browser that supports extensions is vulnerable to attack, and even though browser extensions may seem trustworthy, they actually have the capacity to do a lot of damage to your devices. To learn more about how to keep your online experience safe and secure, follow our technology blog.