Security researchers have uncovered a massive global campaign spying on millions of Internet users and stealing their data. In this attack, hackers used thousands of malicious domains purchased from GalComm (formerly CommuniGal Communication Ltd). GalComm is a domain name registrar from Israel.
Hackers use Google Chrome extensions to drop malware
A major spyware campaign primarily targeted Google Chrome users, courtesy of extensions hosted on the Chrome Web Store, further compromising email, payroll, and several other sensitive functions. These web browser extensions managed to steal sensitive user data across multiple geographies and industry segments.
In response, Google has removed more than 70 of the malicious extensions from its Chrome Web Store, reports Reuters:
“When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” Google spokesperson said in a statement.
Researchers at Awake Security observed a total of 26,079 domains registered through GalComm. According to them, nearly 60 percent of those domains host a variety of traditional malware and browser-based surveillance tools.
Interestingly, attackers also managed to stay low through a variety of evasion techniques bypassing multiple layers of security controls.
“Through a variety of evasion techniques, these domains have avoided being labeled as malicious by most security solutions and have thus allowed this campaign to go unnoticed,” said Gary Golomb Co-Founder & Chief Scientist at Awake Security.
Moving on, researchers also witnessed hundreds of malicious Chrome extensions using GalComm domains. Attackers used those extensions as a dropper to deliver data-stealing malware. These extensions together have amassed millions of downloads.
Using those extensions, attackers were able to screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, act as a keylogger, among other things. This massive surveillance campaign targeted networks across industries like financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, and more.
However, the question arises: How threat actors managed to get hundreds of malicious extensions approved on the Chrome Web Store in the first place?
Earlier, researchers uncovered a new sophisticated phishing campaign that abused an Adobe campaign redirection mechanism to send victims to an Office 365 themed phishing website using a reputable domain from Samsung.
