Millions of Chrome, Edge Users Affected by Hijacked Browser Extensions

Contact Your Elected Officials

Malicious extensions masqueraded as popular tools, secretly tracking browsing habits and exposing millions to hijacking risks, researchers warn.

More than 2 million users of Google Chrome and Microsoft Edge have fallen victim to what cybersecurity researchers at Koi Security call a โ€œsophisticatedโ€ malware campaignโ€”one of the largest browser hijacking operations the cybersecurity company has ever uncovered.

The campaignโ€”dubbed RedDirectionโ€”centered on a set of 18 malicious browser extensions that available for download from both Googleโ€™s Chrome Web Store and Microsoftโ€™s Edge Add-ons, according to a July 8 Koi Security report. All of the identified extensions, which are listed at the bottom of this article along with their ID numbers, have since been removed from both platforms.

The malicious extensions appeared legitimate, offering tools such as VPN proxies for TikTok and Discord, YouTube unblockers, weather forecasts, video speed controllers, and emoji keyboards. However, behind the scenes, they secretly enabled covert tracking of usersโ€™ browsing activity, collected URLs of visited pages, and exfiltrated unique tracking identifiers, according to Koi Securityโ€™s findings.

โ€œThese arenโ€™t theoretical attacks,โ€ wrote Koi Securityโ€™s Idan Dardikman. โ€œWith 2.3 million users under surveillance across eighteen different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment. Every click, every website visit, every online transaction becomes a potential attack vector across this vast network.โ€

The malware implements what Dardikman said was a โ€œsophisticated browser hijacking mechanismโ€ that becomes active every time a user navigates to a new website. It can capture the website address and send it to a remote serverโ€”along with the userโ€™s unique tracking ID number. Hackers can also configure the malware to automatically redirect users to different websites, which are potentially harmful.

While Koi Security has not publicly attributed the operation to a specific threat actor or nation-state, the researchers described RedDirection as a highly organized and  โ€œparticularly deviousโ€ effort that amounted to one of the largest browser hijacking operations the company has ever documented. Many of the extensions initially functioned exactly as advertised, which helped them build positive user ratings and evade suspicion on official browser stores.

โ€œImagine logging into your bankโ€™s website,โ€ Dardikman wrote in the report. โ€œThe extension captures your request and seamlessly redirects you to a pixel-perfect replica of your bankโ€™s login page, hosted on the attackerโ€™s servers. You enter your credentials, thinking youโ€™re securely accessing your account, but youโ€™ve just handed over your banking information to cybercriminals.โ€

Koi Security recommended that users who have installed one of the 18 RedDirection campaign extensions remove it immediately, and then clear their browsing data to remove any tracking identifiers that may be stored on their computers. The company also urged users to run a full system malware scan to check for other infections, and recommended that people monitor their accounts for any suspicious activity.

A review of both Googleโ€™s Chrome Web Store and Microsoftโ€™s Edge Add-ons marketplace indicated that the 18 extensions are no longer available for download.

The Epoch Times has reached out to Google and Microsoft for comment.

A list of the known malicious extensions linked to RedDirection, along with their unique extension IDs, is provided below for reference:

Chrome Extensions:

  • Emoji keyboard onlineโ€”copy & paste your emoji (ID: kgmeffmlnkfnjpgmdndccklfigfhajen)
  • Free Weather Forecast (ID: dpdibkjjgbaadnnjhkmmnenkmbnhpobj)
  • Video Speed Controllerโ€”Video manager (ID: gaiceihehajjahakcglkhmdbbdclbnlf)
  • Unlock Discordโ€”VPN Proxy to Unblock Discord Anywhere (ID: mlgbkfnjdmaoldgagamcnommbbnhfnhf)
  • Dark Themeโ€”Dark Reader for Chrome (ID: eckokfcjbjbgjifpcbdmengnabecdakp)
  • Volume Maxโ€”Ultimate Sound Booster (ID: mgbhdehiapbjamfgekfpebmhmnmcmemg)
  • Unblock TikTokโ€”Seamless Access with One-Click Proxy (ID: cbajickflblmpjodnjoldpiicfmecmif)
  • Unlock YouTube VPN (ID: pdbfcnhlobhoahcamoefbfodpmklgmjm)
  • Color Picker, Eyedropperโ€”Geco colorpick (ID: eokjikchkppnkdipbiggnmlkahcdkikp)
  • Weather (ID: ihbiedpeaicgipncdnnkikeehnjiddck)

Edge Extensions:

  • Unlock TikTok (ID: jjdajogomggcjifnjgkpghcijgkbcjdi)
  • Volume Boosterโ€”Increase your sound (ID: mmcnmppeeghenglmidpmjkaiamcacmgm)
  • Web Sound Equalizer (ID: ojdkklpgpacpicaobnhankbalkkgaafp)
  • Header Value (ID: lodeighbngipjjedfelnboplhgediclp)
  • Flash Playerโ€”games emulator (ID: hkjagicdaogfgdifaklcgajmgefjllmd)
  • Youtube Unblocked (ID: gflkbgebojohihfnnplhbdakoipdbpdm)
  • SearchGPTโ€”ChatGPT for Search Engine (ID: kpilmncnoafddjpnbhepaiilgkdcieaf)
  • Unlock Discord (ID: caibdnkmpnjhjdfnomfhijhmebigcelo)

By Tom Ozimek

Read on TheepochTimes.com

The Epoch Times
The Epoch Timeshttps://www.theepochtimes.com/
Tired of biased news? The Epoch Times is truthful, factual news that other media outlets don't report. No spin. No agenda. Just honest journalism like it used to be.

Hereโ€™s What the USโ€™ Security Guarantees For Ukraine Might Look Like

Western security guarantees for Ukraine are one of the main issues delaying a political resolution to the conflict. Russia launched its SMO primarily in response to NATO-emanating threats from Ukraine.

The Cost of Anger

I will not write much here. There are no words I can say. I only wish to remember those forgotten casualties, the unseen cost of the current antagonism in America.

Another Mass Trans Shooter Not to be Discussed

Robin (Robert) Westman was identified by police as the suspect behind a shooting at a Catholic school that left two children dead and 17 others injured.

AI Techno-Hell Roundup: The Birds and the Bees

In addition to total supplantation of human labor, AI is also doing a number on homo sapiensโ€™ psychological welfare โ€” seducing lonely techno-serfs.

Flagged for Burning

Trump ordered AG to enforce laws against flag desecration focusing on flag burning linked to violent crimes, property destruction or other illegal activities.

Fox and YouTube TV Reach Carriage Deal, Preventing Disruption for Subscribers

Fox Corp and YouTube reached a deal to renew their carriage agreement, ensuring Fox channels remain available on YouTube TV.

Child Who Shielded Friends During Minneapolis School Shooting Praised by Officials

Officials praised children at Annunciation Catholic School in MN who put themselves in harmโ€™s way to protect their friends during a mass shooting.

Top CDC Officials Resign After Directorโ€™s Ouster

Several top officials at the CDC stepped down following the ouster of Susan Monarez as the public health agencyโ€™s director.

TransUnion Reports Data Breach Affecting 4 Million American Consumers

TransUnion LLC, Chicago-based credit-reporting firm, announced a data breach involving personal information of 4.4 million consumers throughout the US.

Health Official Tapped to Be Acting Director of CDC

Trump has chosen HHS Deputy Secretary Jim O'Neill as the CDCโ€™s acting director, an administration official told The Epoch Times on Aug. 29.

US Tariff Exemption for Low-Cost Imports Has Ended

On Aug. 29, the United States ended a trade policy that facilitated the shipment of low-value goods into the country for years.

Trump Says He Will Protect Social Security Amid Potential Congressional Cost-Cutting Proposals

Trump said his admin will protect Social Security and Medicaid, when asked which programs he would want to see cut in a congressional reconciliation bill.

Trump Admin Asks Military Base Near Chicago for Support on Immigration Operations

Naval Station Great Lakes was asked by DHS for โ€œlimited support in the form of facilities, infrastructure, and other logistical needs to support DHS operations.
spot_img

Related Articles