How hackers used malicious Chrome extensions in a mass spying campaign

The discovery exposes another gap in web browser security despite vendor pledges to block malicious code from download stores.
Google Chrome
Researchers believe hackers used Chrome extensions and other malicious tools — along with domains issued by a single registrar — to spy on computer users. (Getty Images)

A sweeping set of surveillance campaigns has hit Google Chrome users, leading to nearly 33 million downloads of malicious software in the last three months, researchers at California-based Awake Security said Thursday.

The researchers believe the unidentified hackers used Chrome extensions and other malicious tools — along with domains issued by a single registrar — to spy on computer users in sectors such as oil and gas, finance and health care. The hackers “were very effective in reaching a large number of industries and subverting controls that were in place,” said Gary Golomb, Awake Security’s cofounder and chief scientist.

U.S. government contractors were among those targeted, Golomb said. He declined to identify the victims.

The discovery exposes another gap in web browser security despite pledges from Google and other vendors to proactively block malicious code from appearing in their official download stores. After being tipped off by Golomb’s team, Google removed more than 70 malicious extensions from the Chrome Web Store.


It is unclear who is behind the malware campaigns. The extensions were capable of taking screenshots and stealing passwords and credential tokens.

“We do regular sweeps to find extensions using similar techniques, code and behaviors, and take down those extensions if they violate our policies,” a Google spokesperson said. “All extensions go through an automated review process, and the majority also undergo manual reviews by our team. We use a combination of automated and manual review, based on a variety of signals for a particular extension.”

Though Google has expunged the extensions from the Chrome store, that wasn’t the only way the attackers dispatched their malicious code onto browsers. They also added code to Chromium, another software package from Google.

Golomb credited Google in being more aggressive in recent months in identifying malicious behavior from extension developers.

Reuters was first to report on the Awake Security research.


Finger pointing and denial

Behind the more than 15,000 malicious or fake domains used in the surveillance campaigns was a single domain registration company called Galcomm, according to Awake Security. Israel-based Galcomm is accredited through ICANN, the not-for-profit that oversees domain registrars.

Galcomm owner Moshe Fogel said the Awake Security report was based on faulty data, adding that a quarter of the domains listed weren’t registered through Galcomm or have expired.

“We are considering our steps and actions against Awake,” Fogel said in an email. Asked if this meant legal action, Fogel said, “We are still investigating this case.”

For Golomb, the use of Galcomm for the hacking campaign points to broader shortcomings in internet security.


“It underscores why this is not just a browser problem,” Golomb told CyberScoop. The use of malicious domains issued through registration companies, he added, “undermines trust across the internet. When registrars [like that] can be accredited…it starts calling into question the accreditation process.”

ICANN spokesman Brad White said the organization had received “relatively few abuse complaints” against Galcomm domains over the last several years. “The few that were filed with us were not substantiated or had nothing to do with malware,” White said.

UPDATE, 06/19/20, 10:30 a.m. EDT: This story has been updated with a statement from ICANN. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts