A new malware-as-a-service (MaaS) operation, dubbed "Stanley," is advertising the creation and publication of malicious Chrome extensions designed to bypass Google's review process. The service promises to deliver phishing extensions that can overlay any webpage with a full-screen iframe containing fraudulent content, while the browser's address bar continues to display the legitimate URL. According to researchers at Varonis, the MaaS also offers features like silent auto-installation on major browsers and a web panel for managing attacks.
The most expensive "Luxe Plan" includes full support for publishing the malicious extension directly to the Chrome Web Store. Once installed, the extension polls a command-and-control server every 10 seconds and can rotate backup domains to resist takedowns. Attackers can use the panel to enable or disable hijacking rules, target victims by geography, and even push browser notifications to lure users to phishing pages.
Technically, the extension's code is described as rudimentary, containing Russian comments and basic error handling. Its primary distinction is its distribution model, which capitalizes on the trust associated with the official Chrome Web Store. This follows recent reports of other malicious extensions evading detection, underscoring the need for users to minimize installed extensions, verify publishers, and scrutinize user reviews.
Read more...