"Two Chrome extensions called "Phantom Shuttle" pretend to be proxy services, but in reality steal user data. The malicious extensions have been active since 2017 and are still available in the official Chrome Web Store. Researchers from security platform Socket discovered the malicious extensions. The extensions target users in China, including traders who need to test connectivity from different locations in the country. The extensions offer a monthly subscription."
"Hardcoded proxy credentials The extensions route all web traffic through proxies controlled by the attackers. Access is granted via hardcoded login credentials. Socket researchers discovered that the code for this has been added to the legitimate jQuery library. The proxy credentials are hidden by special character index encoding. The extensions intercept HTTP authentication on every website via a web traffic listener. Form data, passwords, card details, and session cookies can thus be intercepted. API tokens from requests can also be stolen."
"Chrome's proxy settings are dynamically adjusted via an auto-configuration script. In the default "smarty" mode, the extension routes more than 170 high-value domains through the proxy network. These include development platforms, cloud service consoles, and social media sites. Local networks and the command-and-control domain are left untouched to avoid detection. This shows once again that Chrome extensions cannot simply be trusted."
Two Chrome extensions named Phantom Shuttle pose as proxy services offering monthly subscriptions while routing user traffic through attacker-controlled proxies to steal credentials and sensitive data. The extensions have been active since 2017 and remain available in the Chrome Web Store. Socket researchers found hardcoded proxy login credentials embedded into the legitimate jQuery library and hidden using special character index encoding. The extensions intercept HTTP authentication, form data, passwords, card details, session cookies, and API tokens. Chrome proxy settings are adjusted with an auto-configuration script that routes over 170 high-value domains through the proxy while avoiding local networks and the command-and-control domain to evade detection.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]