
We busted a fake Chrome extension that was trying to steal data - cws
https://www.extrahop.com/company/blog/2018/fake-chrome-extension-threat-hunt/
======
tyingq
_" It's also not clear how any other tool would have detected the long-lived,
persistent outbound connection with relatively low bandwidth"_

Perhaps, but this extension could have been stealthier. It was using a
plaintext web socket on port 6332. If the extension author had instead gotten
a Google analytics account, and exfiltrated data via encrypted https GETS to
Google servers, it might have never been spotted. That kind of traffic likely
happens 24/7 in a typical corporate environment.

~~~
cws
Totally. This extension was trying to be stealthy about exfiltrating
data...but it wasn’t trying that hard. As noted in the article, the same
developer had at least one other extension using the same code to obfuscate
and exfiltrate data. Seems like sort of a spray and pray approach

------
kungfufrog
The blog post was moderately informative/useful and interesting, marketing
brochure website behind it next to useless and can't find anything meaningful
about what they actually sell or do. Frustrating follow-up experience for me
that reminds me of most enterprise ISVs.

~~~
cws
It is a network traffic analysis product. You send it traffic via port mirror
and it analyzes for shady behavior. Here’s the main overview of what it is
[https://www.extrahop.com/products/security/](https://www.extrahop.com/products/security/)

~~~
GeekRaconteur
And here's a technical overview of the product:
[https://www.extrahop.com/products/security/how-it-
works/](https://www.extrahop.com/products/security/how-it-works/)

------
codedokode
This is a serious issue with Chrome Store. Google doesn't properly warn users
that the store is not premoderated and can contain malware. Instead, they have
made a colourful positively looking site without necessary warnings.

~~~
behringer
Neither does download.com. Maybe what we need is a good A/V designed around
chrome and firefox et al.

------
porlune
It should be noted, that at one time, Postman was a chrome extension. They
recently depreciated that extension.

[http://blog.getpostman.com/2017/11/01/goodbye-postman-
chrome...](http://blog.getpostman.com/2017/11/01/goodbye-postman-chrome-app/)

~~~
cws
Yep that’s a great point. That deprecation probably contributed to the gap
that the malware uploader exploited. People expect an extension called
postman, and they find it. Their guard is down and they download the fake one.
I don’t know the solution but there has to be a better way for App/extension
stores to handle this relatively common scenario.

------
empyrical
Because the visibility of the Arc Welder extension (the one that lets you use
Android apps on desktop chrome) is set to hidden, which hides it from both Web
Store and Google Searches, there are malicious extensions that take advantage
of this and will become the top search result for Arc Welder. And if you don't
know where to look, it can be very hard to find the real link for Arc Welder.
So as a result, these malicious Arc Welders often get many thousands of
installs before being taken down. Very frustrating because even if you report
them immediately after they are added, it takes a few days to take them down.

~~~
cws
Yeah, that is incredibly frustrating. It seems to me that many of these types
of scams target general consumers, piggybacking on legitimate app's names to
get a few thousand people to pay a buck or give you some personal info, etc.
These instances that target developer tools have the potential to do a
different kind of damage to peoples' livelihoods.

------
ocdtrekkie
_As of this writing, the malicious "Postman" extension is still available in
the Google Chrome extension store and has been downloaded over 27,000 times._

This is pretty much par for the course, unfortunately.

~~~
cws
Yep. Pretty hard to police. Unlikely to be removed until it gets quite a lot
of attention.

~~~
audessuscest
Firefox does it really well though, before.

------
cws
Here’s a ZDNet article about the same extension
[https://www.zdnet.com/article/industrial-espionage-fears-
ari...](https://www.zdnet.com/article/industrial-espionage-fears-arise-over-
chrome-extension-caught-stealing-browsing-history/)

------
kalehrishi
Black theme of tool makes me chuckle. Wondering how it became defacto color
theme of hacking tools! Only thing missing is neon green.

~~~
toyg
Because it’s easier on the eyes. For people spending unhealthy amounts of time
being bombarded by monitors right in the retinas, it’s a necessity.

~~~
astura
It's not a "necessity," it's a personal preference.

I started out programming on a dark theme (the emacs default) but I've used a
light theme professionally for about 15 years (and no other dark
applications). I prefer the light theme and I don't find it hard on my eyes
one bit and I have astigmatism.

~~~
aepiepaey
The Emacs default is bright (black text on white background), not dark.

The exception is if you're using it in a terminal, in which case it re-uses
the terminal's colors.

~~~
astura
Well, the emacs theme installed on our school computers was a dark theme. This
was way back in the day.

------
AznHisoka
.. and this is what SimilarWeb browser extensions have been doing for 5+
years. Yet Google doesn't seem to care.

------
m_developer
Well, that was a fun way to find out you have a malicious app installed in
your browser.

It would be nice to have an overview of what exactly was exported to know the
impact of this breach (without having to use reveal(x) myself).

~~~
cws
It was sending off URLs visited by the host machine. Browsing history,
essentially, which could be benign except that when your machine is inside a
corp network you might be visiting all kinds of internal resources with URLs
that shouldn’t be public/with sensitive info included in the resource locator,
GET/POST contents, etc

------
xte
Generally speaking anyone can create malicious software disguised in various
way, so FOSS project included.

However instead of creating a "antivirus" vs "virus" classic scenario, that we
all know it doesn't work my lines is: all must be open (hw, sw) and developed
in a FOSS way from the start.

For instance if you are an hw OEM who want to produce a new GNU/Linux phone?
Ok, start work on it in a public repo. If your project interest others, many
with valuable skills came to help. Perhaps including some bad one. But the
community will protect you, because you publish from the start the rate of
benevolent and interested individuals that follow your project from the start
will likely detect any bad guys, far better than any software, heuristic and
even "AI" in general terms. After you know that community give credit so if
the project will be successful people will buy your product, paying you back
for your part of work and physical production. Other, of course, may use your
schematics and software for free but if they add competitive features you get
them back for free because of FOSS licensing, if they do not respect licenses
you'll get backed by FSF&c that have a firepower and advertising capability
normally superior to any new company/startup. Otherwise if there is only a
price competition many will go for the cheap, many, not all. And if you and
the community keep innovate the project you keep gaining money, no different
than pharmaceutical industry that do research vs pharmaceutical "generic"
industry.

Long story short: I can't trust closed sources extensions nor more nor less
than closed source security software, I can't trust a company no more than
another (only reputation can lead to small percentage variations). So I do my
best to avoid inoculate in my systems software that I can't trust... Good
assessments are still needed but they are IMO not really much valuable without
the openness at the base: the _need_ of trust is a weakness, so we need to
being able to trust each other with the power of verify trust at the core, not
only at the skin.

------
berbec
Nice ad.

------
cws
As of this writing, the fake Postman extension appears to have been removed
from the Chrome extension store. Huzzah!

