Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

About harmful updates

Read: 18666 Comments: 2 Rating: 9

Wednesday, August 30, 2017

On the pages of the Anti-virus Times, we’re always talking about the need to install updates, and when we do that, we are, of course, talking about legitimate security updates for the applications in use. But there are other updates “out there”.

The author of the Chrome Particle browser extension sold the extension, which was not going to be developed any further, to a company that had previously offered to collaborate with advertising.

Users noticed that the list of permissions requested by the extension had expanded (it now needed permission to modify loaded webpages and change the browser theme). A more detailed examination revealed that the extension replaced advertisements on popular sites with those produced by its new owners. The replaced content included ads from Google, Yahoo, Bing, Amazon, eBay and Booking.com.

https://www.opennet.ru/opennews/art.shtml?num=46851

This may not seem like a big deal: after all it merely replaces annoying ads with other annoying ads. However, the extension came to be regarded as malicious because it performed actions users weren’t expecting from it.

The problem is that content is being replaced and users aren't being notified about it. Today it replaces ads; tomorrow it will replace a sign-in box to harvest logins and passwords.

https://www.opennet.ru/opennews/art.shtml?num=46851

Why were users so worried? As usual, the problem lies with JavaScript code.

Because Chrome extensions are updated without user intervention, the extension’s new owners were able to install malicious JavaScript code on machines via, what appeared to be, just another update.

https://www.opennet.ru/opennews/art.shtml?num=38882

The code can be used by criminals to perform virtually any action—from stealing data to downloading other malicious code.

The extension’s authors are still receiving purchase offers in emails from unscrupulous dealers. Currently, a change in extension ownership doesn't affect the established trusted relationship, i.e., updates rolled out by the new owner will be applied without the user needing to confirm any prompts. Furthermore, the malicious activity does not commence immediately after the update has been downloaded but several days later. Thus users have a hard time determining why the ads on websites have changed.

https://www.opennet.ru/opennews/art.shtml?num=38882

And a few words about confidential information.

The developers of the Copyfish extension warned users that they lost control over their Chrome Web Store account. Thus attackers were able to release a new version containing malicious code that generates pop ups and replaces advertisements on websites. Copyfish is an OCR (optical character recognition) extension.

Copyfish’s developers received a fraudulent email, ostensibly from the Chrome Web Store support service. The message said they had to fix certain issues in the extension's code; otherwise, Copyfish would be removed from the store.

The text also contained a link to a corresponding support ticket page. The shortened URL pointed to a bogus authentication page from which the developers were redirected to chromedev.freshdesk.com, where the problem was being discussed. Because the email was composed in the HTML format, the link didn't appear suspicious. One of the developers fell into the trap and entered their Google account credentials on the fraudulent page.

The next day, the developers discovered that someone released version 2.85 of their extension. It contained code that replaced ads on webpages and was now associated with a different account in the store. They found themselves unable to do anything because the imposters had blocked their access to their account.

http://www.opennet.ru/opennews/art.shtml?num=46945

As you can see, at first bogus updates can be used merely to display ads, while later more serious malicious activities can be carried out.

#security_updates #adware #JavaScript #SpIDer_Gate #browser

The Anti-virus Times recommends

  1. Make sure you distinguish the difference between a security update and an upgrade to a new version. Security updates help maintain system safety. But there is no reason to automatically upgrade to a new version. It may be a good idea to wait until you can review feedback from other users.

  2. The fewer extensions you use, the fewer risks you take.

    Hmm. I think it's high time I check my list of extensions and remove the ones I don't use.
    That's what I'm going to do right now.

    https://www.opennet.ru/opennews/art.shtml?num=38882

  3. Disable JavaScript in your browser to lower security risks.

  4. An anti-virus must be running in the system when new software or updates are being installed. In Dr.Web, the HTTP monitor SpIDer Gate scans inbound traffic.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments

Comments to other issues | My comments