Since 2020, Kaspersky has blocked more than 6 million downloads of malicious extensions. In the vast majority of cases, these are adware that seek to make money off your back.
Browser extensions are very convenient, but their use is not without risk. Millions of Internet users are victims of malicious extensions each year, as Kaspersky, an antivirus publisher, has just revealed. On its own customer base alone, the company has been able to block more than 6 million downloads of malicious extensions since the start of 2020.
Two-thirds of these blocked extensions were of the “adware” type and one third of the “malware” type. In both cases, they present themselves under false guises and often offer utilitarian and practical functions: PDF conversion, grammar and spelling correction, video downloading, proxy, etc. Kaspersky took advantage of its analysis to highlight four families of malicious extensions.
And hop, we change the search engine
The first is “WebSearch”. This is the most widespread and basic adware family. Upon installation, it will replace the user’s default search engine with another (“myway.com”). Depending on the searches carried out, it will therefore display its own advertising links. It’s a variant of the famous “toolbar” that has annoyed generations of Internet users. In this family, you will find the following extensions: “EasyPDFCombine”, “PDF Viewer & Converter by FromDocToPDF”, “OnlineMapFinder”, EasyDocMerge”. This software has been removed from browser application stores, but some still use it.
The second family is “DealPly” which is also adware-type. Usually, these extensions are not downloaded directly by the user, but by malware from cracked software. As before, the search engine is replaced by another. The Internet user will also be transported directly to sponsored sites without his wish. Getting rid of this kind of extension is more complicated, because the malware responsible for installing it also makes it persistent by adding it to the registry. Once deleted, it will automatically reappear the next time you launch the browser. Extensions in this family include “Internal Chromium Extension” and Search Manager.
Generate fake traffic
The third family is “AddScript”. It is a malware that contains obfuscated code which, once decoded, will engage in rather intrusive actions like background video players or dropping fake cookies in the browser directory. The goal, you will understand, is an advertising scam. This is to generate false video views or to believe that the user has already visited certain pages. Some examples: “Y2Mate Video Downloader”, “Helper (an easy way to find best prices)”, “SaveFrom.net helper” and “friGate3 Proxy helper”.
The fourth family, finally, is “FB Stealer”. As with DealPly, these extensions are instead installed by malware embedded in cracked software. Again, the extension is changing the search engine. It will also steal the user’s Facebook session cookies, log in instead of the user and change the password. “Once inside the account, attackers can demand money from the victim’s friends, trying to get as much as possible before the user regains access to the account”underlines Kaspersky.