Beware Malicious Chrome Extensions!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Browser extensions like for Google Chrome can be  extremely useful, I have a whole bunch myself.   But this video is a warning that you need to be  extremely diligent when going and installing new   ones, even if you're getting them from the  official Chrome Web Store. There have been   countless stories of malicious extensions  slipping through on the Chrome Web Store   and being installed by millions of people. And  in my opinion, Google does not do nearly enough   to vet these extensions and really their vetting  process is not reliable at all, in my opinion. There are even extensions like this one that were  installed by malware and literally every single   review is people saying they can't remove it,  how it's a virus, they don't want this extension,   yet this thing has remained on the web store  for over six months. And there are some nasty   extensions out there recently that even  have come from advertisements on Facebook   and then would hack your Facebook account and  take it over by stealing your credentials. But spoiler alert, those are something  that the sponsor of this video, Guardio,   can protect against, I'll get  to that later. So in this video,   I'll go over things like various types  of malicious extensions and ways they're   installed and some tricks they use to  prevent being uninstalled. And of course,   some ways you can avoid these extensions  or at least minimize your risk. So what are some ways that a malicious extension  might get installed in the first place? And the   first one is it may be on the Chrome Web Store  itself. And a lot of times what these will do   is they'll pretend to be one thing, or they may  even do that simple task that they advertise as,   but then they'll do something  malicious in the background. They may ask for way more permissions  than is necessary for that task and   people will grant them. And then you don't  even realize that in addition to that thing,   it's doing a whole bunch of other nasty stuff.  Here's one example of an extension whose only   purpose is to redirect your searches  to some crappy random search engine. So basically they can display ads to  you and there's a couple of reviews,   but they're basically gibberish. You can tell  these are fake reviews, but there are other   examples of ones that did a lot more nasty  stuff like fake chat GPT extensions that   pretended to give you chat GPT access, but then  they would literally steal your tokens for your   cookies and hijack your Facebook account, change  your account name, use it for God knows what. And these were on the Chrome Web Store,  but it wasn't until they got quite a bit   of attention before Google finally  removed them. Now on this topic of   protecting against malicious extensions,  we have a very relevant sponsor for today,   Guardio. Guardio provides real time  enterprise level protection from all   sorts of threats while browsing the web, including  the malicious extensions I'm talking about today. And all the while still being affordable to  consumers and small businesses. For example,   Guardio scans your browser extensions  and alerts you if there are any disguised   malicious extension installed  and disables them. In fact,   they were the ones that first discovered the  fake chat GPT extensions and reported on that. So they're actually being proactive in  searching for new malicious extensions.   They then fingerprint and block those extensions  like you can see here, it will warn you. And   even if it gets installed some other way, it  will be immediately disabled. But that's not   all. Guardio also blocks malicious websites  using in-house custom developed methods for   detecting phishing and malware content, all before  those threats even have a chance to do any harm. Guardio has also added download protection to  block malicious files even if you accidentally   download them, like from fake sites  for popular software or even malicious   game mods. One of my other favorite  features is Guardio will also warn you   if a website's domain has been registered  very recently, which is a major red flag. You can scan your browser for threats for free  by visiting Guard.io/ThioJoe and installing the   extension. And you'll also get a seven  day free trial to the premium features   such as real time threat removal. Plus  you'll even get 20% off every month of   the first year of their affordable  premium plan for full protection. So if you want a clean and secure browsing  experience, again, visit Guard.io/ThioJoe,   link in the description. And with all that being  said, let's continue. Another way a malicious   extension might be installed is by malware. So  you might download a free package of some kind   of software from some sketchy website, and  it might even be that legitimate software,   but along with it is packaged a sketchy  installer that also installs an extension. You used to see this kind of thing a lot where  you download some free program. And if you didn't   uncheck a certain box during the installation  process it would install some kind of toolbar,   same idea. But the range of how malicious these  might be could vary greatly. If you're lucky,   the extension is easily removable just like  any other, you just go and click to remove it. But there are some times where the  malware may change management policies   on your computer for Google Chrome,  where you literally won't be able to   uninstall it in the normal way. Because  it'll say managed by your administrator.   You can't uninstall this because it was  installed by an admin, that sort of thing. And sometimes they'll even add a  way for it to reinstall itself,   even if you do remove it, like by adding  scheduled tasks to the Task Scheduler in   windows. And if you remove it every day,  it'll just reinstall it. Now to be clear,   if you see managed by organization, you  don't necessarily have to be worried. It is a legitimate feature. And it may for  example, show up if you have certain antiviruses,   they will manage the browser and implement  policies and stuff. And also if you are   using a work device or a work account,  a lot of times companies will implement   certain company-wide settings  on the browsers as requirements,   or also required extensions if you're going to  be using a company device, that sort of thing. So really you only have to be worried if you  know that you have a malicious extension that's   using this method to prevent it from being  uninstalled. But anyway, an example of this   is that one I showed you before, where people are  saying they literally cannot uninstall it, even   though they want to. Now, the fact that Google  hasn't removed this one is astounding to me. I guess maybe they're saying,  "Well, all it does is, you know,   change someone's search browser like it  says. It's not doing anything it doesn't   say it does," but ignoring the fact that  it's a virus that is the only thing that's   installing this. No one is voluntarily  installing this, so they should remove it. Now moving on, a third way that a extension  could be installed is what is called side-loaded,   or manually installed. So you don't  have to install stuff from the Chrome   Web Store. If you enable developer mode  in the extensions page, you can actually   install a Chrome extension using a file just  like any other program on your computer. So a lot of times malware will  install an extension this way to   totally bypass the Chrome Web Store,  because it might be doing something   so obviously malicious that it would  get caught on there. But with this,   it doesn't get checked at all. So that's a  common way they'll do it. Now as for different   categories of malicious extensions and what  they do, I mean really the sky's the limit. They can be just as malicious as  any other malware or virus on your   computer. Because if you think about it,  a lot of times if you download a virus,   they're targeting stuff you're doing on  the internet anyway, like key logging,   password logins, stuff like that. So if they can  get that done with an extension, they may as well. One example I mentioned before are search  hijackers. So they'll just replace your   default search engine with some random one so  that they can get that ad revenue if you go and   use it. Another one might be ad injectors,  where they'll actually modify a website to   add in additional ads, which obviously the revenue  will go to the creator of the malicious extension, so they'll make money that way. I've also seen  examples of crypto mining Chrome extensions   that do that in the background without you  knowing. And at the high end of being nasty,   you have stuff like key loggers and cookie  stealing extensions. And by cookie stealing,   I mean that if you log into a website, it adds a  cookie to your browser so it keeps you logged in. Well, the malware may steal that cookie  and send it to the creator of the malware,   and then they are already logged into your  account. And they don't even have to worry   about typing in the password, two-factor  authentication. It's a really easy way   for them to steal accounts. Or of course, these  extensions could do multiple or all of the above. There's one example of a really  bad campaign called Dormant Colors,   where there was like 30 different  extensions that were all color and   theme related for your browser. And on the  surface they actually did what they said and   they remained dormant. And there was  actually malicious code hidden in there. And it wasn't until they had millions  of installs where they activated the   malicious part. And they did stuff  like replacing search engines,   replacing URLs that you type in to redirect  to a phishing version of a website,   all sorts of nasty stuff. And there's at least  one example of them getting a "Featured" badge,   which usually means that it was vetted by an  actual person on the Chrome Web Store team. And I guess at that point, there's not really  much you can do about it. If you see that,   you should think it's trusted, but who  knows. Now, there are several things   you can do to avoid a lot of these malicious  extensions. Some of them are more common sense,   some of them not. One thing you could do is  check to see if it has a lot of installs. And obviously this is not a  guarantee, but it's kind of a   signal because you would think if it really  was malicious, the more people that use it,   the more likely that there'd be people that  are reporting it as malicious. But also watch   out because I suspect that install count  can be botted. I mean, this extension has   showing over 300,000 installs, but I mean,  there's just two obviously fake reviews. It just doesn't add up. So maybe see if the number  of reviews versus installs makes sense. Next,   you can check to see what badges are  on the Chrome extension. But again,   these are not necessarily any kind  of guarantee at all, but one of them   is this established publisher badge. It  just has a check mark next to the website. This doesn't really seem to be very meaningful.  I believe this just means they verified their   website and that they don't have any current  violations on their developer account. But I mean,   they could easily verify any website they sign  up for. That doesn't really mean anything. And   they could just mean they weren't caught  yet if they don't have any violations. And obviously if they are, they're just going  to make a new one. So just from them having   this badge, I wouldn't really consider  that anything of importance. But if it   is tied to a well-known website, like a  really well-known company or something,   that might be meaningful because it means they  actually are associated with that website. Another badge to look for is the featured  badge. This one should theoretically mean   that it's safe because apparently it  is actually reviewed by the Chrome Web   Store team. And you know they reviewed  it, made sure it follows policies and   deemed it good. So I would say generally I  would trust an extension that is featured. But again, there was that one from the Dormant  Colors campaign that ended up being malicious   that was featured. But like I said, really at  that point, there's not really much you can   do if even the Chrome Web Store employees  can't figure that out. You can also check   the reviews. Obviously if it has a lot of  negative reviews, that's not a good sign. And you can also maybe look at how old  the oldest review is to see how long   this extension has been around most  likely. If it's a very new extension,   I probably wouldn't trust it as much as  one that's been there for years. Because   there's no way to see actually when a  Chrome extension was first published. It just shows you the most recent update. So  looking at the oldest review is probably the   only decent way to do that. Another thing  to look out for is if the Chrome extension   claims to be part of some open source  project or something that's popular,   make sure that you look at the website that  it links to and ensure that it is actually   associated with that project and make sure that  website links back to that actual extension. Because with the fake chat GPT extensions,  they pretended to be part of a popular open   source Chrome extension that was legitimate,  but they weren't actually associated with   that. So you would have had to want to go  to that actual GitHub page and make sure   that it was linking to that correct one. But the  tricky thing is these fake chat GPT extensions   were actually being advertised on Google  search sponsor results and Facebook ads. So really being pushed out there. This is actually  something that the sponsor of this video, Guardio,   actually discovered and did a bunch of research  on. I can put links to their articles in the   description, and that's where I got these  diagrams too. Finally, one thing you can do   is go into the Chrome settings and security  and enable the "Enhanced Protection" mode,   which apparently has some kind of way of  checking if an extension is trusted by Google. Though I couldn't really find any  explanation of how they determine   what makes an extension trusted or  not. It says that after a few months,   a extension or a developer should be considered  trusted, I guess if it goes long enough without   getting flagged or anything. But there are  extensions like this one that are fine that   have been around for years that still  say untrusted when it gets installed. And it doesn't even tell you why, which is the  confusing thing. Now it does say untrusted for   one of the search hijacking extensions, but  for the other one, it does not. So again,   it's not a guarantee, but it's just  maybe one more layer of security. If   you'd rather be safe, just don't install  any one that doesn't say it's trusted. Just knowing that it's possible that it could be  flagging some that are fine. Finally, we can go   over how to remove one of these extensions if you  have one installed. Like I said, if you're lucky,   you can uninstall it just like any other  Chrome extension, but just be aware if you   go into the extensions page, they may have named  the extension something misleading or very vague. And what I mean is it might be  a search hijacking extension,   but it may be called something like security  extension or image resizer. I just made those up,   but it could be literally anything.  Therefore basically just look for ones   that may be related to what it's doing  or ones you don't remember installing. If you're unlucky, then you may have had  malware that installed this extension   and specifically made it hard to remove.  And there's a few ways they can do that.   Usually it involves creating a management policy  in your Chrome extension that prevents you from   being able to uninstall it. One way they  can do this is by modifying the registry   keys because Chrome has registry keys  that can be used for policy management. Also, if you're on Windows 10 or 11 Pro,  they could have used the group policy editor   policies to add one for Chrome to do the same  thing. And on top of that, they may have added   a scheduled task to reinstall itself, even if you  do uninstall it. And of course you can't discount   the possibility that the malware is still  installed and running on your computer too. Now, as for getting around this policy management  trick, you can go and delete the stuff manually,   but there is one person, a product expert  on the Google Chrome community forums,   who created a policy remover batch file.  The person's name is Stefan VD, and I'll   put a link to this post in the description  and you can just download that batch file. I looked through it. Basically what the batch  file does is it will first close Google Chrome   from running, obviously. It will then delete any  group policy folders in System32. So just be aware   if you're running Windows Pro and you have any  group policy set, it will probably erase that.   It also deletes some policy folders in the  Chrome program files installation directory. And it also looks like it deletes some  registry entries related to Google Chrome.   So theoretically that should allow you to  go and uninstall the extension. But again,   you might want to check the task scheduler,  especially if you notice it reinstalls itself   and just kind of look through there. And  I don't know what it would be called. You're just going to have to literally look  through these all and look on the right hand side.   You can also click on each one and on the bottom  of the window, go to the Actions tab for each one,   and that will tell you what each action  is actually doing. Usually if a virus adds   a task like this, they'll name it something  innocuous to hide what it actually is doing. So it might say something Google Chrome related  or maybe not. Though I did find one article   with an example where the task pointed to  a PowerShell script like this, and it was   named Microsoft Windows Optimizer Update. So it  looks like you'll have to look for ones that have   PowerShell scripts too. And this one actually got  into the System32 directory, which is really bad. That means it had admin access, which could  definitely mean the virus is still there. Here's   another malicious task example, where the whole  PowerShell command is within the task itself. It   doesn't reference a PowerShell script file. This  one was created by malware called Blazeloader,   and it was actually used to reinstall a malicious  extension known as "Safe Browsing Extension." Just be aware that there are some legitimate  Google Chrome update tasks in there,   but I guess you'll just have to figure that  out yourself. Anyway, after you deal with that,   like I said you can go to the extensions page,  hopefully find it and remove it. Or you could   just reset Google Chrome settings,  which should disable all extensions. So you can do that by going into the settings and  then reset settings, and then restore settings to   the original defaults. And you see that it says  it will disable extensions. And like I said,   you should probably do an antivirus scan as  well, and maybe look back at some software   that you may have downloaded recently that  could have came along with that virus. If I think of anything else though, I'll add that   to the description. So you might want to  look there if that doesn't work for you,   or let me know in the comments if it works  one way or another so I can know. But yeah,   hopefully that should shed some light on  something that you didn't really know was a risk. And next time you go to install some extensions,   you'll do some double checking first. Thanks again  to Guardio for sponsoring this video. It's the   best way to avoid installing all those malicious  extensions. So be sure to visit Guard.io/ThioJoe   to do a free scan and detect if you have  any harmful extensions installed already. If you enjoyed this video, be sure to give  it a big thumbs up for my YouTube algorithm   overlords. And again, let me know down  in the comments if this enlightened you   or maybe helped you remove an extension that  was malicious. If you want to keep watching,   the next video I'd recommend is one where I was  talking about a whole bunch of different hidden   Chrome menus for settings and stuff  that you probably never seen before. So I'll put that link right there you  can just click on. So thanks so much   for watching and I'll see you in the next one.
Info
Channel: ThioJoe
Views: 133,248
Rating: undefined out of 5
Keywords:
Id: Al0K-bnC2Yw
Channel Id: undefined
Length: 17min 26sec (1046 seconds)
Published: Wed May 17 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.