What's Happening?
A new wave of malicious browser extensions, part of a campaign known as GhostPoster, has been discovered across popular web browsers including Chrome, Firefox, and Edge. These extensions, which have been active
since as early as 2020, were identified by Koi Security and further analyzed by LayerX. The campaign involves 17 Firefox add-ons and additional extensions across other browsers, collectively installed over 840,000 times. The extensions contain malicious JavaScript code hidden in their PNG logos, which acts as a malware loader. Once installed, these extensions can hijack affiliate traffic, strip and inject HTTP headers, bypass CAPTCHA, and perform click fraud and user tracking. Although these extensions do not harvest credentials or engage in phishing, they pose significant privacy risks. Users are advised to remove these extensions immediately as they remain active until explicitly deleted.
Why It's Important?
The discovery of the GhostPoster campaign highlights ongoing vulnerabilities in browser extension ecosystems, which can be exploited to compromise user privacy and security. With over 840,000 installations, the impact is widespread, affecting a significant number of users who may be unaware of the risks. This situation underscores the need for enhanced security measures and vetting processes by browser developers to prevent malicious extensions from reaching users. The ability of these extensions to hijack traffic and perform click fraud also poses economic threats to legitimate businesses and advertisers. The incident serves as a reminder for users to regularly review and manage their browser extensions to protect their online activities.
What's Next?
As the malicious extensions are no longer available for download, the immediate focus is on user awareness and removal of the existing installations. Browser developers and security researchers are likely to continue monitoring for similar threats and may implement stricter security protocols to prevent future incidents. Users are encouraged to stay informed about potential threats and to regularly update their security settings. Additionally, there may be increased collaboration between security firms and browser developers to enhance detection and prevention mechanisms for malicious extensions.
