Detected an extension in Chrome Web Store, active from February, that steals credit cards

Tuesday, January 15, 2019

We have detected an extension for Google Chrome, still active, that steals data from web site forms visited by the victims. This extension, which is still available on Chrome Web Store –the extension market for Chrome– has been active from February 2018. It is hidden within the searches performed on the Web Store, and it can only be accessed through a link that the attackers are spreading by means of JavaScript injection attacks on web sites that make them to be redirected to that extension using that link.

Chrome web store Javascript cybersecurity image

The extension seems to be a ‘Reader Flash’ created by the supposed developer fbsgang.info. Once installed, it embeds a simple function within all the web sites visited by the user. Particularly, it exploits the API functionality webRequest.onBeforeRequest, so allowing to register a ‘hook’ which will be called just before the user may send a new HTTP request from the web site (for instance, by clicking on a link or submitting a form).

background extension cybersecurity image

This registered function monitors, by means of regular expressions, credit card numbers (if you look at the code you will realize that there are regular expressions for Visa (vvregex), MasterCard (mcregex), etc. That is, in case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request. In particular, it uses the "sendFormData" function, which contains the base64-encoded end URL:

codification in base64 of URL cybersecurity image

aHR0cDovL2Zic2dhbmcuaW5mby9jYy9nYXRlLnBocA==

That, once decoded, is:

hxxp://fbsgang.info/cc/gate.php

As you can see, it is a simple extension that takes advantage of the huge scope of a single API call. When it was detected, this extension had been installed 400 times. The infrastructure has not been massively spread so far. It is available on the Chrome Web Store from February 2018, however, as the attacker only made public the extension to those who knew the link, it cannot be found through a 'usual' search.  
visibility options cibersecurity image

So, how is it spread?
Instead of targeting victims through searches or massive emailing –which would make this campaign much more successful but at the same time much more ‘detectable’– the attackers have opted for another method. They infect web sites (all the webs in the hosting, as observed) using a JavaScript that can detect if the browser is a Chrome one. In such a case, they just redirect to a web site indicating the users that they must install Flash, and then they are redirected to that extension. In the following image you can observe the snippet of JavaScript injected on the web sites.

JavaScript fragment cibersecurity image

The point is that the authors have not correctly finalized the snippet yet (or they have disabled it for any reason), so the current content it presents is the index of server files:

server file index cybersecurity image

This doesn’t affect the extension, just its way of spreading. If we 'go back' on time, we can specifically see that its previous appearance was much more credible:

index files server previous aspect cibersecurity image

If we check its source code:

index server files source code cybersecurity image

The post-decoded JavaScript code has the following appearance:

Aspecto del código JavaScript, posteriormente a su decodificación ciberseguridad imagen

That is to say, it requests the users to install Adobe Flash or redirects them to Chrome extension market (specifically to the extension that we have remarked at the beginning). Closing the infection circle and the information theft, we have alerted Google on this extension in order to remove it from the market as soon as possible. Among the web sites, we recommend looking for a JavaScript with the structure previously showed, so you will see if any of them is infected. Even if the attack seems to have been ‘stopped’, the extension is still a serious threat. Its hash is: 4d2efd3eebcae2b26ad3009915c6ef0cf69a0ebf.

We remind you that our tool NETO is available for analyzing extensions in general. Here you can find the result dumped by the tool.



NETO tool extensions cybersecurity image


Innovation and Labs

1 comment: