Google removed a extension for its Google Chrome browser from the Chrome Web Store after it was discovered the extension was being used by malicious actors to steal banking credentials and financial information.
The extension, named Interface Online and created by a developer called Internet Security Online, was made available through the Chrome Web Store earlier this week. It was created by a group of criminals in Brazil who used it to target specific people in the financial industry.
The attempted scam was discovered by Renato Marinho, the chief research officer of Morphus Labs and SANS Internet Storm Center, who disclosed the malicious extension in a blog post and reported it to Google to have the plug-in removed.
While anyone could have downloaded the extension from the Chrome Web Store, the Brazilian-based attackers had particular targets in mind. The group researched potential targets and gathered intel about them and their role within their company on social media. The hackers specifically targeted people they believed had a hand in handling financial transactions.
Once the group had identified their targets, they began contacting the potential victims. The attackers called the targets and posed as bank employees. On the phone, they would encourage the targets to download the extension, which they claimed was part of the bank’s security module, or face losing access to their account.
According to Kaspersky Lab researcher Fabio Assolini, the attackers would act panicked on the phone, pressuring the victims into downloading the extension. They would give a web address where users were supposed to go to download the security module. When they clicked the “Install” button on the site, they would begin downloading the malicious extension.
The phone call continued as the victim completed the the installation process. Once the person had installed the extension, the attacker would have them test it by entering the credentials used to access their corporate bank account. As they enter their credentials, the information was collected by the extension and sent to the attackers.
The extension, Internet Security Online, didn’t particularly hide these capabilities. A description of the extension in the Chrome Web Store said it was capable of reading and changing data on websites visited by the user and could monitor the user’s browsing activity. Despite this, at least 30 people had downloaded and installed the extension before it was removed.
While the attacks were not widespread, the threat actors behind the effort have proven relatively skilled and persistent. The group was also tied to a number of other targeted attacks against banks and financial institutions in Brazil, including one targeting payment system Boletos.
Google has had issues with malware infecting its marketplaces in the past with Android, but the Chrome Web Store is increasingly becoming a target for malicious actors looking for new ways to infect machines.
According to ThreatPost, researchers have reported at least eight popular Google chrome extensions that have been compromised or abused to intercept internet traffic and display potentially malicious advertisements in a user’s browser.