According to a report released earlier this month, more than 100,000 Google Chrome users were affected after downloading malware from browser extensions in the official Chrome Web Store.

Security firm Radware uncovered the attack known they dubbed “Nigelthorn” through its machine-learning algorithms.  The attack was spread through Facebook, as users would click to a fake YouTube page, which directed users to download an extension to view the video.  Once installed, the chrome extension malware became capable of stealing user credentials, committing click fraud and installing cryptomining scripts on the local machine.

The chrome extension malware attack was created by crisis actors who had hijacked legitimate browser extensions, most commonly an app called “Nigelfly” which replaces pictures with the face of cartoon character Nigel Thornberry (whom we have never heard of before this) with malicious scripts. By taking advantage of existing apps in the Chrome store, the hackers could bypass Google’s extension validation checks. Along with Nigelfly, at least 7 other apps were used during the scheme, and Google has been able to remove several of these apps from the Chrome store.

Once installed, the malware goes right for your Facebook credentials, asking users to generate a token through a Facebook API. It then posts the malicious YouTube link to your Facebook page or through messenger tagging up to 50 contacts with hopes of spreading the link to more targets.

This cyber-attack infected users in over 100 countries, with over 75% of victims being from the Philippines, Venezuela and Ecuador.

How Do I Protect Myself from Chrome Extension Malware?

Nigelthorn isn’t the first and certainly won’t be the last Malware scheme to make its way through the Chrome store or any other app store network. Malicious extensions campaigns are a problem because security software programs typically treat Chrome like a trusted application.

Some of the most popular extensions on Chrome are ad blockers, which have been a target in the past. Hackers will simply copy the code from a legitimate ad blocker and create their own app with the added bonus of malware code and overoptimize keyword fields in hopes of getting the app to the top of search results.

It is recommended to only download ad extensions from legitimate authors and companies. If you haven’t heard of the company behind the app do not download it. Even if an app has thousands of trusted reviews, those can be falsified easily to give potential victims a false feeling of security.

By the same token, don’t download apps that do not have any reviews. Here is a list of trusted ad blockers in the Google Chrome store put out by Digital Trends.

Always be sure to check which permissions each app you download is asking for. There is no reason for an ad blocker to have access to your webcam.

You can review the list of chrome extensions you have already downloaded as well as their permissions by going to “more tools” and “extensions” in your browser.

ThrottleNet is a leading managed IT services company in St. Louis. Get more tech news and IT industry best practices on our blog. Learn more about us or contact us today!