Browser extensions like for Google Chrome can be
extremely useful, I have a whole bunch myself. But this video is a warning that you need to be
extremely diligent when going and installing new ones, even if you're getting them from the
official Chrome Web Store. There have been countless stories of malicious extensions
slipping through on the Chrome Web Store and being installed by millions of people. And
in my opinion, Google does not do nearly enough to vet these extensions and really their vetting
process is not reliable at all, in my opinion. There are even extensions like this one that were
installed by malware and literally every single review is people saying they can't remove it,
how it's a virus, they don't want this extension, yet this thing has remained on the web store
for over six months. And there are some nasty extensions out there recently that even
have come from advertisements on Facebook and then would hack your Facebook account and
take it over by stealing your credentials. But spoiler alert, those are something
that the sponsor of this video, Guardio, can protect against, I'll get
to that later. So in this video, I'll go over things like various types
of malicious extensions and ways they're installed and some tricks they use to
prevent being uninstalled. And of course, some ways you can avoid these extensions
or at least minimize your risk. So what are some ways that a malicious extension
might get installed in the first place? And the first one is it may be on the Chrome Web Store
itself. And a lot of times what these will do is they'll pretend to be one thing, or they may
even do that simple task that they advertise as, but then they'll do something
malicious in the background. They may ask for way more permissions
than is necessary for that task and people will grant them. And then you don't
even realize that in addition to that thing, it's doing a whole bunch of other nasty stuff.
Here's one example of an extension whose only purpose is to redirect your searches
to some crappy random search engine. So basically they can display ads to
you and there's a couple of reviews, but they're basically gibberish. You can tell
these are fake reviews, but there are other examples of ones that did a lot more nasty
stuff like fake chat GPT extensions that pretended to give you chat GPT access, but then
they would literally steal your tokens for your cookies and hijack your Facebook account, change
your account name, use it for God knows what. And these were on the Chrome Web Store,
but it wasn't until they got quite a bit of attention before Google finally
removed them. Now on this topic of protecting against malicious extensions,
we have a very relevant sponsor for today, Guardio. Guardio provides real time
enterprise level protection from all sorts of threats while browsing the web, including
the malicious extensions I'm talking about today. And all the while still being affordable to
consumers and small businesses. For example, Guardio scans your browser extensions
and alerts you if there are any disguised malicious extension installed
and disables them. In fact, they were the ones that first discovered the
fake chat GPT extensions and reported on that. So they're actually being proactive in
searching for new malicious extensions. They then fingerprint and block those extensions
like you can see here, it will warn you. And even if it gets installed some other way, it
will be immediately disabled. But that's not all. Guardio also blocks malicious websites
using in-house custom developed methods for detecting phishing and malware content, all before
those threats even have a chance to do any harm. Guardio has also added download protection to
block malicious files even if you accidentally download them, like from fake sites
for popular software or even malicious game mods. One of my other favorite
features is Guardio will also warn you if a website's domain has been registered
very recently, which is a major red flag. You can scan your browser for threats for free
by visiting Guard.io/ThioJoe and installing the extension. And you'll also get a seven
day free trial to the premium features such as real time threat removal. Plus
you'll even get 20% off every month of the first year of their affordable
premium plan for full protection. So if you want a clean and secure browsing
experience, again, visit Guard.io/ThioJoe, link in the description. And with all that being
said, let's continue. Another way a malicious extension might be installed is by malware. So
you might download a free package of some kind of software from some sketchy website, and
it might even be that legitimate software, but along with it is packaged a sketchy
installer that also installs an extension. You used to see this kind of thing a lot where
you download some free program. And if you didn't uncheck a certain box during the installation
process it would install some kind of toolbar, same idea. But the range of how malicious these
might be could vary greatly. If you're lucky, the extension is easily removable just like
any other, you just go and click to remove it. But there are some times where the
malware may change management policies on your computer for Google Chrome,
where you literally won't be able to uninstall it in the normal way. Because
it'll say managed by your administrator. You can't uninstall this because it was
installed by an admin, that sort of thing. And sometimes they'll even add a
way for it to reinstall itself, even if you do remove it, like by adding
scheduled tasks to the Task Scheduler in windows. And if you remove it every day,
it'll just reinstall it. Now to be clear, if you see managed by organization, you
don't necessarily have to be worried. It is a legitimate feature. And it may for
example, show up if you have certain antiviruses, they will manage the browser and implement
policies and stuff. And also if you are using a work device or a work account,
a lot of times companies will implement certain company-wide settings
on the browsers as requirements, or also required extensions if you're going to
be using a company device, that sort of thing. So really you only have to be worried if you
know that you have a malicious extension that's using this method to prevent it from being
uninstalled. But anyway, an example of this is that one I showed you before, where people are
saying they literally cannot uninstall it, even though they want to. Now, the fact that Google
hasn't removed this one is astounding to me. I guess maybe they're saying,
"Well, all it does is, you know, change someone's search browser like it
says. It's not doing anything it doesn't say it does," but ignoring the fact that
it's a virus that is the only thing that's installing this. No one is voluntarily
installing this, so they should remove it. Now moving on, a third way that a extension
could be installed is what is called side-loaded, or manually installed. So you don't
have to install stuff from the Chrome Web Store. If you enable developer mode
in the extensions page, you can actually install a Chrome extension using a file just
like any other program on your computer. So a lot of times malware will
install an extension this way to totally bypass the Chrome Web Store,
because it might be doing something so obviously malicious that it would
get caught on there. But with this, it doesn't get checked at all. So that's a
common way they'll do it. Now as for different categories of malicious extensions and what
they do, I mean really the sky's the limit. They can be just as malicious as
any other malware or virus on your computer. Because if you think about it,
a lot of times if you download a virus, they're targeting stuff you're doing on
the internet anyway, like key logging, password logins, stuff like that. So if they can
get that done with an extension, they may as well. One example I mentioned before are search
hijackers. So they'll just replace your default search engine with some random one so
that they can get that ad revenue if you go and use it. Another one might be ad injectors,
where they'll actually modify a website to add in additional ads, which obviously the revenue
will go to the creator of the malicious extension, so they'll make money that way. I've also seen
examples of crypto mining Chrome extensions that do that in the background without you
knowing. And at the high end of being nasty, you have stuff like key loggers and cookie
stealing extensions. And by cookie stealing, I mean that if you log into a website, it adds a
cookie to your browser so it keeps you logged in. Well, the malware may steal that cookie
and send it to the creator of the malware, and then they are already logged into your
account. And they don't even have to worry about typing in the password, two-factor
authentication. It's a really easy way for them to steal accounts. Or of course, these
extensions could do multiple or all of the above. There's one example of a really
bad campaign called Dormant Colors, where there was like 30 different
extensions that were all color and theme related for your browser. And on the
surface they actually did what they said and they remained dormant. And there was
actually malicious code hidden in there. And it wasn't until they had millions
of installs where they activated the malicious part. And they did stuff
like replacing search engines, replacing URLs that you type in to redirect
to a phishing version of a website, all sorts of nasty stuff. And there's at least
one example of them getting a "Featured" badge, which usually means that it was vetted by an
actual person on the Chrome Web Store team. And I guess at that point, there's not really
much you can do about it. If you see that, you should think it's trusted, but who
knows. Now, there are several things you can do to avoid a lot of these malicious
extensions. Some of them are more common sense, some of them not. One thing you could do is
check to see if it has a lot of installs. And obviously this is not a
guarantee, but it's kind of a signal because you would think if it really
was malicious, the more people that use it, the more likely that there'd be people that
are reporting it as malicious. But also watch out because I suspect that install count
can be botted. I mean, this extension has showing over 300,000 installs, but I mean,
there's just two obviously fake reviews. It just doesn't add up. So maybe see if the number
of reviews versus installs makes sense. Next, you can check to see what badges are
on the Chrome extension. But again, these are not necessarily any kind
of guarantee at all, but one of them is this established publisher badge. It
just has a check mark next to the website. This doesn't really seem to be very meaningful.
I believe this just means they verified their website and that they don't have any current
violations on their developer account. But I mean, they could easily verify any website they sign
up for. That doesn't really mean anything. And they could just mean they weren't caught
yet if they don't have any violations. And obviously if they are, they're just going
to make a new one. So just from them having this badge, I wouldn't really consider
that anything of importance. But if it is tied to a well-known website, like a
really well-known company or something, that might be meaningful because it means they
actually are associated with that website. Another badge to look for is the featured
badge. This one should theoretically mean that it's safe because apparently it
is actually reviewed by the Chrome Web Store team. And you know they reviewed
it, made sure it follows policies and deemed it good. So I would say generally I
would trust an extension that is featured. But again, there was that one from the Dormant
Colors campaign that ended up being malicious that was featured. But like I said, really at
that point, there's not really much you can do if even the Chrome Web Store employees
can't figure that out. You can also check the reviews. Obviously if it has a lot of
negative reviews, that's not a good sign. And you can also maybe look at how old
the oldest review is to see how long this extension has been around most
likely. If it's a very new extension, I probably wouldn't trust it as much as
one that's been there for years. Because there's no way to see actually when a
Chrome extension was first published. It just shows you the most recent update. So
looking at the oldest review is probably the only decent way to do that. Another thing
to look out for is if the Chrome extension claims to be part of some open source
project or something that's popular, make sure that you look at the website that
it links to and ensure that it is actually associated with that project and make sure that
website links back to that actual extension. Because with the fake chat GPT extensions,
they pretended to be part of a popular open source Chrome extension that was legitimate,
but they weren't actually associated with that. So you would have had to want to go
to that actual GitHub page and make sure that it was linking to that correct one. But the
tricky thing is these fake chat GPT extensions were actually being advertised on Google
search sponsor results and Facebook ads. So really being pushed out there. This is actually
something that the sponsor of this video, Guardio, actually discovered and did a bunch of research
on. I can put links to their articles in the description, and that's where I got these
diagrams too. Finally, one thing you can do is go into the Chrome settings and security
and enable the "Enhanced Protection" mode, which apparently has some kind of way of
checking if an extension is trusted by Google. Though I couldn't really find any
explanation of how they determine what makes an extension trusted or
not. It says that after a few months, a extension or a developer should be considered
trusted, I guess if it goes long enough without getting flagged or anything. But there are
extensions like this one that are fine that have been around for years that still
say untrusted when it gets installed. And it doesn't even tell you why, which is the
confusing thing. Now it does say untrusted for one of the search hijacking extensions, but
for the other one, it does not. So again, it's not a guarantee, but it's just
maybe one more layer of security. If you'd rather be safe, just don't install
any one that doesn't say it's trusted. Just knowing that it's possible that it could be
flagging some that are fine. Finally, we can go over how to remove one of these extensions if you
have one installed. Like I said, if you're lucky, you can uninstall it just like any other
Chrome extension, but just be aware if you go into the extensions page, they may have named
the extension something misleading or very vague. And what I mean is it might be
a search hijacking extension, but it may be called something like security
extension or image resizer. I just made those up, but it could be literally anything.
Therefore basically just look for ones that may be related to what it's doing
or ones you don't remember installing. If you're unlucky, then you may have had
malware that installed this extension and specifically made it hard to remove.
And there's a few ways they can do that. Usually it involves creating a management policy
in your Chrome extension that prevents you from being able to uninstall it. One way they
can do this is by modifying the registry keys because Chrome has registry keys
that can be used for policy management. Also, if you're on Windows 10 or 11 Pro,
they could have used the group policy editor policies to add one for Chrome to do the same
thing. And on top of that, they may have added a scheduled task to reinstall itself, even if you
do uninstall it. And of course you can't discount the possibility that the malware is still
installed and running on your computer too. Now, as for getting around this policy management
trick, you can go and delete the stuff manually, but there is one person, a product expert
on the Google Chrome community forums, who created a policy remover batch file.
The person's name is Stefan VD, and I'll put a link to this post in the description
and you can just download that batch file. I looked through it. Basically what the batch
file does is it will first close Google Chrome from running, obviously. It will then delete any
group policy folders in System32. So just be aware if you're running Windows Pro and you have any
group policy set, it will probably erase that. It also deletes some policy folders in the
Chrome program files installation directory. And it also looks like it deletes some
registry entries related to Google Chrome. So theoretically that should allow you to
go and uninstall the extension. But again, you might want to check the task scheduler,
especially if you notice it reinstalls itself and just kind of look through there. And
I don't know what it would be called. You're just going to have to literally look
through these all and look on the right hand side. You can also click on each one and on the bottom
of the window, go to the Actions tab for each one, and that will tell you what each action
is actually doing. Usually if a virus adds a task like this, they'll name it something
innocuous to hide what it actually is doing. So it might say something Google Chrome related
or maybe not. Though I did find one article with an example where the task pointed to
a PowerShell script like this, and it was named Microsoft Windows Optimizer Update. So it
looks like you'll have to look for ones that have PowerShell scripts too. And this one actually got
into the System32 directory, which is really bad. That means it had admin access, which could
definitely mean the virus is still there. Here's another malicious task example, where the whole
PowerShell command is within the task itself. It doesn't reference a PowerShell script file. This
one was created by malware called Blazeloader, and it was actually used to reinstall a malicious
extension known as "Safe Browsing Extension." Just be aware that there are some legitimate
Google Chrome update tasks in there, but I guess you'll just have to figure that
out yourself. Anyway, after you deal with that, like I said you can go to the extensions page,
hopefully find it and remove it. Or you could just reset Google Chrome settings,
which should disable all extensions. So you can do that by going into the settings and
then reset settings, and then restore settings to the original defaults. And you see that it says
it will disable extensions. And like I said, you should probably do an antivirus scan as
well, and maybe look back at some software that you may have downloaded recently that
could have came along with that virus. If I think of anything else though, I'll add that to the description. So you might want to
look there if that doesn't work for you, or let me know in the comments if it works
one way or another so I can know. But yeah, hopefully that should shed some light on
something that you didn't really know was a risk. And next time you go to install some extensions, you'll do some double checking first. Thanks again
to Guardio for sponsoring this video. It's the best way to avoid installing all those malicious
extensions. So be sure to visit Guard.io/ThioJoe to do a free scan and detect if you have
any harmful extensions installed already. If you enjoyed this video, be sure to give
it a big thumbs up for my YouTube algorithm overlords. And again, let me know down
in the comments if this enlightened you or maybe helped you remove an extension that
was malicious. If you want to keep watching, the next video I'd recommend is one where I was
talking about a whole bunch of different hidden Chrome menus for settings and stuff
that you probably never seen before. So I'll put that link right there you
can just click on. So thanks so much for watching and I'll see you in the next one.
