Malicious extensions masqueraded as popular tools, secretly tracking browsing habits and exposing millions to hijacking risks, researchers warn.
More than 2 million users of Google Chrome and Microsoft Edge have fallen victim to what cybersecurity researchers at Koi Security call a โsophisticatedโ malware campaignโone of the largest browser hijacking operations the cybersecurity company has ever uncovered.
The campaignโdubbed RedDirectionโcentered on a set of 18 malicious browser extensions that available for download from both Googleโs Chrome Web Store and Microsoftโs Edge Add-ons, according to a July 8 Koi Security report. All of the identified extensions, which are listed at the bottom of this article along with their ID numbers, have since been removed from both platforms.
The malicious extensions appeared legitimate, offering tools such as VPN proxies for TikTok and Discord, YouTube unblockers, weather forecasts, video speed controllers, and emoji keyboards. However, behind the scenes, they secretly enabled covert tracking of usersโ browsing activity, collected URLs of visited pages, and exfiltrated unique tracking identifiers, according to Koi Securityโs findings.
โThese arenโt theoretical attacks,โ wrote Koi Securityโs Idan Dardikman. โWith 2.3 million users under surveillance across eighteen different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment. Every click, every website visit, every online transaction becomes a potential attack vector across this vast network.โ
The malware implements what Dardikman said was a โsophisticated browser hijacking mechanismโ that becomes active every time a user navigates to a new website. It can capture the website address and send it to a remote serverโalong with the userโs unique tracking ID number. Hackers can also configure the malware to automatically redirect users to different websites, which are potentially harmful.
While Koi Security has not publicly attributed the operation to a specific threat actor or nation-state, the researchers described RedDirection as a highly organized and โparticularly deviousโ effort that amounted to one of the largest browser hijacking operations the company has ever documented. Many of the extensions initially functioned exactly as advertised, which helped them build positive user ratings and evade suspicion on official browser stores.
โImagine logging into your bankโs website,โ Dardikman wrote in the report. โThe extension captures your request and seamlessly redirects you to a pixel-perfect replica of your bankโs login page, hosted on the attackerโs servers. You enter your credentials, thinking youโre securely accessing your account, but youโve just handed over your banking information to cybercriminals.โ
Koi Security recommended that users who have installed one of the 18 RedDirection campaign extensions remove it immediately, and then clear their browsing data to remove any tracking identifiers that may be stored on their computers. The company also urged users to run a full system malware scan to check for other infections, and recommended that people monitor their accounts for any suspicious activity.
A review of both Googleโs Chrome Web Store and Microsoftโs Edge Add-ons marketplace indicated that the 18 extensions are no longer available for download.
The Epoch Times has reached out to Google and Microsoft for comment.
A list of the known malicious extensions linked to RedDirection, along with their unique extension IDs, is provided below for reference:
Chrome Extensions:
- Emoji keyboard onlineโcopy & paste your emoji (ID: kgmeffmlnkfnjpgmdndccklfigfhajen)
- Free Weather Forecast (ID: dpdibkjjgbaadnnjhkmmnenkmbnhpobj)
- Video Speed ControllerโVideo manager (ID: gaiceihehajjahakcglkhmdbbdclbnlf)
- Unlock DiscordโVPN Proxy to Unblock Discord Anywhere (ID: mlgbkfnjdmaoldgagamcnommbbnhfnhf)
- Dark ThemeโDark Reader for Chrome (ID: eckokfcjbjbgjifpcbdmengnabecdakp)
- Volume MaxโUltimate Sound Booster (ID: mgbhdehiapbjamfgekfpebmhmnmcmemg)
- Unblock TikTokโSeamless Access with One-Click Proxy (ID: cbajickflblmpjodnjoldpiicfmecmif)
- Unlock YouTube VPN (ID: pdbfcnhlobhoahcamoefbfodpmklgmjm)
- Color Picker, EyedropperโGeco colorpick (ID: eokjikchkppnkdipbiggnmlkahcdkikp)
- Weather (ID: ihbiedpeaicgipncdnnkikeehnjiddck)
Edge Extensions:
- Unlock TikTok (ID: jjdajogomggcjifnjgkpghcijgkbcjdi)
- Volume BoosterโIncrease your sound (ID: mmcnmppeeghenglmidpmjkaiamcacmgm)
- Web Sound Equalizer (ID: ojdkklpgpacpicaobnhankbalkkgaafp)
- Header Value (ID: lodeighbngipjjedfelnboplhgediclp)
- Flash Playerโgames emulator (ID: hkjagicdaogfgdifaklcgajmgefjllmd)
- Youtube Unblocked (ID: gflkbgebojohihfnnplhbdakoipdbpdm)
- SearchGPTโChatGPT for Search Engine (ID: kpilmncnoafddjpnbhepaiilgkdcieaf)
- Unlock Discord (ID: caibdnkmpnjhjdfnomfhijhmebigcelo)
By Tom Ozimek
