Delete These 17 Harmful Browser Extensions Immediately
A recent investigation uncovered a significant threat from malicious browser extensions affecting Chrome, Firefox, and Edge. These extensions, linked to a campaign called GhostPoster, could track user activities and compromise privacy. Some of these harmful extensions have been active for up to five years.
Overview of the GhostPoster Campaign
The GhostPoster campaign was identified by Koi Security in December and has raised serious security concerns. It included 17 malicious Firefox add-ons aimed at monitoring user browsing activities. The threat actors embedded harmful JavaScript code within the extensions’ PNG logos. This code functioned as a malware loader, enabling the retrieval of a main payload from remote servers.
Discovery of Additional Malicious Extensions
Researchers from LayerX discovered another set of 17 harmful extensions across multiple browsers. These extensions have accumulated over 840,000 installations. Initially, GhostPoster aimed at Microsoft Edge before expanding to Chrome and Firefox. The malicious extensions have been active since at least 2020.
List of Malicious Extensions
- Google Translate in Right Click
- Translate Selected Text with Google
- Block Ultimate Floating Player – PiP Mode
- Convert Everything
- YouTube Download
- One Key Translate
- AdBlocker
- Save Image to Pinterest on Right Click
- Instagram Downloader
- RSS Feed
- Cool Cursor
- Full Page Screenshot
- Amazon Price History
- Color Enhancer
- Translate Selected Text with Right Click
- Page Screenshot Clipper
Impact of the Malicious Extensions
One notable extension, “Google Translate in Right Click,” had over 522,000 installations. Another, “Translate Selected Text with Google,” reached 159,645 installs. The “Instagram Downloader” variant had fewer installs, totaling 3,822.
GhostPoster malware incorporates features to evade detection. For instance, activation is delayed by 48 hours, and it only communicates with remote servers under specific conditions. Once installed, these extensions can hijack affiliate traffic, modify HTTP headers to weaken security, bypass CAPTCHA systems, and inject iframes and scripts for tracking and click fraud. Fortunately, the malware does not collect credentials or engage in phishing schemes.
What to Do If You’re Affected
While these malicious extensions are no longer available for installation on Chrome, Edge, and Firefox, users are urged to remove any existing installations immediately. The extensions will remain active until they are explicitly deleted.
In conclusion, it’s critical to regularly review and remove any suspicious browser extensions to safeguard your online privacy. Always ensure that your browser is equipped with reliable security measures to enhance protection against threats like GhostPoster.
