Malware Service Plants Phishing Extensions on Chrome Web Store
▼ Summary
– A new malware-as-a-service called ‘Stanley’ sells malicious Chrome extensions designed to bypass Google’s review and be published on the Chrome Web Store.
– The malware works by overlaying a legitimate webpage with a deceptive full-screen iframe for phishing, while the browser’s address bar remains unchanged.
– It offers features like silent auto-installation on major browsers, a control panel for operators, geographic targeting, and resilience against takedowns.
– Technically, the code is considered unrefined, but its standout threat is the promised distribution model to infiltrate the trusted Chrome Web Store.
– Users are advised to minimize installed extensions, read reviews, and verify publisher trustworthiness due to such threats slipping through store reviews.
A newly identified malware-as-a-service platform, dubbed ‘Stanley,’ is actively marketing a dangerous capability: the creation and deployment of malicious Chrome extensions designed to bypass Google’s security checks. This service specifically crafts extensions that can overlay legitimate websites with deceptive full-screen phishing pages, all while the browser’s address bar continues to display the authentic URL. The operation represents a significant escalation in the threat landscape, directly targeting the trust users place in official browser marketplaces.
The service, named after the seller’s alias, is promoted on underground cybercrime forums. It offers threat actors a streamlined path to conducting phishing campaigns by intercepting web navigation and covering a visited page with an iframe containing content entirely controlled by the attacker. The core selling point is the promise that these malicious extensions will successfully pass the Chrome Web Store’s review process, granting them access to a vast user base. The MaaS provides multiple subscription plans, with the premium “Luxe Plan” including a web-based control panel and full support for publishing the harmful extension to the official store.
From a technical standpoint, the malware functions by generating a deceptive iframe that loads phishing content. Crucially, the victim’s address bar remains unchanged, showing the legitimate domain to maintain the illusion of safety. Operators using the Stanley control panel can dynamically enable or disable hijacking rules and even push fraudulent notifications directly to the victim’s browser to steer them toward specific malicious pages. The service also includes features for victim identification based on IP address, allowing for geographic targeting and tracking users across sessions and devices.
To ensure persistence, the malicious extension is designed to poll a command-and-control server every ten seconds. It also employs backup domain rotation, a tactic that enhances its resilience against security takedowns. Researchers note that the underlying code is not particularly sophisticated, containing rough elements like Russian-language comments and inconsistent error handling. Its power lies not in advanced techniques but in its effective and brazen distribution model.
This development follows recent reports from other cybersecurity firms detailing how malicious extensions continue to infiltrate official stores. It underscores a persistent vulnerability in the ecosystem. For protection, users are strongly advised to install only the extensions they absolutely need, carefully scrutinize user reviews and publisher information, and remain vigilant about any unusual browser behavior, even on familiar websites.
(Source: Bleeping Computer)
