Researchers have identified two malicious Google Chrome extensions, both named "Phantom Shuttle" and published by the same developer, designed to intercept user traffic and capture credentials. These extensions, advertised as tools for network speed testing, are still available for download.
The first extension was published in November 2017 and has around 2,000 users, while the second was posted in April 2023 and has about 180 users. Users are billed for a subscription, believing they are gaining access to a legitimate VPN service, but instead, the extensions engage in harmful activities.
According to security researcher Kush Pandya, the extensions inject credential information into users’ web traffic, acting as man-in-the-middle proxies that redirect and exfiltrate data to the attacker’s command-and-control server. When users pay for VIP access, the extensions enable "smarty" proxy mode, allowing them to route traffic from over 170 targeted domains, which includes sites like GitHub, Amazon Web Services, Facebook, and various others.
The extensions have been cleverly designed to perform legitimate functions, like latency tests and connectivity status checks, in order to maintain the illusion of reliability while they secretly hijack user credentials. They utilize JavaScript libraries with malicious modifications to inject hard-coded proxy credentials at any HTTP authentication prompt, allowing for seamless credential theft without user knowledge.
Once a user authenticates with a proxy server, the extensions change Chrome’s proxy settings to direct web traffic through the attacker-controlled proxies. They communicate with their command-and-control server, regularly transmitting user information such as email and passwords back to the attacker every five minutes.
The ongoing operations of these extensions revolve around the theft of sensitive information, including passwords and credit card details, as well as credentials from developers, potentially leading to broader security breaches. While the identity of those behind the extensions remains unclear, clues such as the use of Chinese language in their description and payment integration through Alipay suggest a China-based operation.
With the subscription model reinforcing user dependency and revenue generation, the functionality of these extensions poses a significant risk to users, especially in corporate environments that lack adequate browser extension management. Users are being advised to uninstall these extensions immediately, and security teams are encouraged to establish strict monitoring and allowlisting protocols to mitigate such risks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.