Researchers from the Awake Security Threat team has discovered a global surveillance campaign that uses spyware software via extensions found on the Google Chrome Webstore. These malicious extensions have nearly 33 million downloads and almost all of them used domains that were linked to small registrar in Israel called Galcomm.
These extensions were able to bypass multiple layers of security controls, including the cybersecurity measures taken by sophisticated organizations, essentially staying hidden. The damage caused by the extensions could be immense, as they collected a variety of data like screenshots, clipboard data, credential tokens that are stored in cookies or parameters and even user keystrokes (like passwords).
The Awake Security Team has since contacted Google, and has been working on identifying and removing these malicious extensions. Till date, they have removed more than 70 extensions from the Chrome Webstore. They declined to comment further on how these attacks were allowed nor did they discuss how it was.
The owner of Galcomm, Moshe Fogel, declined any involvement in this spyware campaign. He claimed that, Galcomm, in fact, “cooperates with law enforcement and security bodies to prevent as much as we can”.
At the moment, it is unsure as to how many end-users have been affected by this massive campaign. To check out the complete report by the research team, and all the names of the malicious extensions, click here.