A browser extension is a piece of software that users can install to customise the functionality of a web browser. Browser extensions are handy, but they can also pose serious threats to privacy and security.

As an increasing number of people have begun to rely on cryptocurrencies for online transactions, cybercriminals have adapted their tactics accordingly: browser extensions have become an attractive target for hackers looking to exploit unsuspecting crypto users.

At the beginning of 2023 Kaspersky observed a two-fold increase in the number of malicious browser extensions, specifically those designed to perform web injects and steal cryptocurrency. There was also a rise in the number of malicious droppers that install harmful extensions on victims’ machines.

A malicious browser extension interferes in browser functionality and mimics legitimate software. It could be difficult to detect by antivirus software. Malicious extensions can alter what the user sees on his/her browser, as opposed to what is actually sent by the server.

For example, these extensions can add or remove text, labels, text fields, and other website elements. Malicious extensions can track affiliate IDs, engage in phishing activities and steal credentials, as well as steal cryptocurrency.

For instance, a malicious extension can insert an additional field to a form sent by a crypto wallet server. The purpose of these extra fields (accompanied by supporting labels and instructions) is to dupe the user into entering certain confidential information (e.g., login credentials, credit card numbers, CVVs, PINs, tokens, etc.) even if that information was not being requested by the crypto wallet in the original form.

These malicious extensions often mimic legitimate ones, making it difficult for users to differentiate between safe and harmful add-ons. Once installed, these extensions can inject malicious code into users’ browsers, enabling cybercriminals to steal sensitive information such as private keys, seed phrases for crypto wallets, login credentials and two-factor authentication information.

“Browser extensions can be installed both from official browser stores (e.g., in Chrome, Firefox) or direct from a file – this is currently available on Windows machines in the most popular browser – Chrome.

When installed from outside the official stores, the risk of the extension being malicious increases. Users, especially those who engage in cryptocurrency operations on their Windows machines, should be wary of browser extensions that they install,” comments Sergey Lozhkin, Lead Security Researcher at Kaspersky GReAT.