Millions of Chrome, Edge Users Affected by Hijacked Browser Extensions

Contact Your Elected Officials

Malicious extensions masqueraded as popular tools, secretly tracking browsing habits and exposing millions to hijacking risks, researchers warn.

More than 2 million users of Google Chrome and Microsoft Edge have fallen victim to what cybersecurity researchers at Koi Security call a โ€œsophisticatedโ€ malware campaignโ€”one of the largest browser hijacking operations the cybersecurity company has ever uncovered.

The campaignโ€”dubbed RedDirectionโ€”centered on a set of 18 malicious browser extensions that available for download from both Googleโ€™s Chrome Web Store and Microsoftโ€™s Edge Add-ons, according to a July 8 Koi Security report. All of the identified extensions, which are listed at the bottom of this article along with their ID numbers, have since been removed from both platforms.

The malicious extensions appeared legitimate, offering tools such as VPN proxies for TikTok and Discord, YouTube unblockers, weather forecasts, video speed controllers, and emoji keyboards. However, behind the scenes, they secretly enabled covert tracking of usersโ€™ browsing activity, collected URLs of visited pages, and exfiltrated unique tracking identifiers, according to Koi Securityโ€™s findings.

โ€œThese arenโ€™t theoretical attacks,โ€ wrote Koi Securityโ€™s Idan Dardikman. โ€œWith 2.3 million users under surveillance across eighteen different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment. Every click, every website visit, every online transaction becomes a potential attack vector across this vast network.โ€

The malware implements what Dardikman said was a โ€œsophisticated browser hijacking mechanismโ€ that becomes active every time a user navigates to a new website. It can capture the website address and send it to a remote serverโ€”along with the userโ€™s unique tracking ID number. Hackers can also configure the malware to automatically redirect users to different websites, which are potentially harmful.

While Koi Security has not publicly attributed the operation to a specific threat actor or nation-state, the researchers described RedDirection as a highly organized and  โ€œparticularly deviousโ€ effort that amounted to one of the largest browser hijacking operations the company has ever documented. Many of the extensions initially functioned exactly as advertised, which helped them build positive user ratings and evade suspicion on official browser stores.

โ€œImagine logging into your bankโ€™s website,โ€ Dardikman wrote in the report. โ€œThe extension captures your request and seamlessly redirects you to a pixel-perfect replica of your bankโ€™s login page, hosted on the attackerโ€™s servers. You enter your credentials, thinking youโ€™re securely accessing your account, but youโ€™ve just handed over your banking information to cybercriminals.โ€

Koi Security recommended that users who have installed one of the 18 RedDirection campaign extensions remove it immediately, and then clear their browsing data to remove any tracking identifiers that may be stored on their computers. The company also urged users to run a full system malware scan to check for other infections, and recommended that people monitor their accounts for any suspicious activity.

A review of both Googleโ€™s Chrome Web Store and Microsoftโ€™s Edge Add-ons marketplace indicated that the 18 extensions are no longer available for download.

The Epoch Times has reached out to Google and Microsoft for comment.

A list of the known malicious extensions linked to RedDirection, along with their unique extension IDs, is provided below for reference:

Chrome Extensions:

  • Emoji keyboard onlineโ€”copy & paste your emoji (ID: kgmeffmlnkfnjpgmdndccklfigfhajen)
  • Free Weather Forecast (ID: dpdibkjjgbaadnnjhkmmnenkmbnhpobj)
  • Video Speed Controllerโ€”Video manager (ID: gaiceihehajjahakcglkhmdbbdclbnlf)
  • Unlock Discordโ€”VPN Proxy to Unblock Discord Anywhere (ID: mlgbkfnjdmaoldgagamcnommbbnhfnhf)
  • Dark Themeโ€”Dark Reader for Chrome (ID: eckokfcjbjbgjifpcbdmengnabecdakp)
  • Volume Maxโ€”Ultimate Sound Booster (ID: mgbhdehiapbjamfgekfpebmhmnmcmemg)
  • Unblock TikTokโ€”Seamless Access with One-Click Proxy (ID: cbajickflblmpjodnjoldpiicfmecmif)
  • Unlock YouTube VPN (ID: pdbfcnhlobhoahcamoefbfodpmklgmjm)
  • Color Picker, Eyedropperโ€”Geco colorpick (ID: eokjikchkppnkdipbiggnmlkahcdkikp)
  • Weather (ID: ihbiedpeaicgipncdnnkikeehnjiddck)

Edge Extensions:

  • Unlock TikTok (ID: jjdajogomggcjifnjgkpghcijgkbcjdi)
  • Volume Boosterโ€”Increase your sound (ID: mmcnmppeeghenglmidpmjkaiamcacmgm)
  • Web Sound Equalizer (ID: ojdkklpgpacpicaobnhankbalkkgaafp)
  • Header Value (ID: lodeighbngipjjedfelnboplhgediclp)
  • Flash Playerโ€”games emulator (ID: hkjagicdaogfgdifaklcgajmgefjllmd)
  • Youtube Unblocked (ID: gflkbgebojohihfnnplhbdakoipdbpdm)
  • SearchGPTโ€”ChatGPT for Search Engine (ID: kpilmncnoafddjpnbhepaiilgkdcieaf)
  • Unlock Discord (ID: caibdnkmpnjhjdfnomfhijhmebigcelo)

By Tom Ozimek

Read on TheepochTimes.com

The Epoch Times
The Epoch Timeshttps://www.theepochtimes.com/
Tired of biased news? The Epoch Times is truthful, factual news that other media outlets don't report. No spin. No agenda. Just honest journalism like it used to be.

MyPillowโ€™s CEO Mike Lindell Wins 2 Court Cases

A federal court tossed the $5M ruling against Mike Lindell, saying arbitrators rewrote the rules of his 2021 Cyber Symposium challenge.

Whatโ€™s The Most Realistic Scenario In Which The West Might Replace Zelensky?

Yermak and Budanov agreed with the Anglo-American Axisโ€™ proposal to replace Zelensky with Zaluzhny and โ€œresetโ€ Ukraineโ€™s ties with the West.

Earned vs. Owed

Not since the Donner Party has a group of people so badly misinterpreted the circumstances of their situation like the players of the WNBA.

Just How American are Americaโ€™s Elite Schools?

Their exteriors may be ivy clad, but that faรงade on Americaโ€™s elite universities cloaks secrecy, power politics and globalist attitudes as well.

Multiple Democrats Playing Defense

There is a news situation going on that is...

Vaccination Rates Drop Among Kindergartners as Exemptions Increase: CDC

Rates of vaccination among kindergartners ticked down in the 2024โ€“2025 school year, the CDC said as the number of exemptions rose.

Boeing Featured in Nearly All US Trade Dealsโ€”Hereโ€™s Why

The skies are clearing for Boeing these days as it emerges as the clear winner of trade deals during the tariff negotiations between the US and its trading partners,

72 Arrested, 29 Human Trafficking Victims Rescued Across Mississippi: Officials

Mississippiโ€™s AG announced that it carried out a statewide operation in July that resulted in 72 arrests and the rescue of 29 human trafficking victims.

NASA, SpaceX Launch Crew-11 to Space Station

SpaceXโ€™s Falcon 9 rocket took off on Aug. 1, as the 11th act of the NASA commercial crew program set off for the International Space Station.

Trump Orders Firing of Labor Statistics Chief After July Jobs Report

President Donald Trump announced on Aug. 1 that he has directed the termination of the commissioner of the Bureau of Labor Statistics (BLS).

Trump Issues 60-Day Deadline for Drug Makers to Lower Prices

Trump told CEOs of worldโ€™s leading pharmaceutical companies that he expects them to implement Most Favored Nation drug pricing within 60 days.

Trump Hikes Tariffs on Canada to 35 Percent

Trump followed through on his threat to raise tariffs on Canada from 25% to 35% saying country โ€œfailedโ€ to stop flow of fentanyl and other drugs into US.

Bessent Says Trump Accounts for Kids Are Backdoor โ€˜For Privatizing Social Securityโ€™

Treasury Sec Scott Bessent said Trump Accounts are โ€œa back door for privatizing Social Security,โ€ but the admin is committed to protecting Social Security.
spot_img

Related Articles