A suspected Russian malware-as-a-service operation has been selling a turnkey website-spoofing toolkit that promised to bypass Google’s Chrome Web Store security review, charging up to US$6000, security vendor Varonis said.
Named Stanley after its seller’s forum alias, the toolkit provides everything needed to run phishing operations through malicious browser extensions that appear legitimate to both Google Store code reviewers and victims.
The top-tier variant of Stanley is guaranteed by the operators to clear Chrome Web Store publication of malicious browser extensions.
One such Chrome extension, Notely, masquerading as a note-taking and a bookmarking tool was published as a proof-of-concept, Varonis said; it has now been removed from the Chrome Web Store.
A demo video shows the operation targeting Binance and Coinbase.
Technically, malicious extensions created with Stanely use iFrame overlays with the attacker’s phishing page.
This keeps the link to the legitimate site intact in the browser’s navigation bar, while serving up phishing content.
The interface allows attackers to configure URL hijacking rules specific to individual users and activate them on demand.
It also provides customisation options and a command-and-control panel with victim data.
Beyond passive hijacking, operators can push Chrome notifications to lure users toward targeted phishing pages.
Varonis said that the code Stanley produces “has some rough edges” with comments in Russian, inconsistent error handling and empty catch blocks and added that the high sales price was justified by the extensions passing the Chrome Web Store code review.
Stanley was marketed in Russian-language cybercrime forums, the Varonis security researchers said.
Varonis said the Stanley operators have gone dark since the publicity around the MaaS kit, but added that this no guarantee that it won’t reappear under a different name or remain available for sale privately.
The security vendor said the ability to pass Chrome Web Store reviews means the standard advice of only installing from official sources, and looking for “verified” badges, may be insufficient.
Enterprise administrators should consider blocking all Chrome and Microsoft Edge extensions, apart from those explicitly allowed as defence.
Consumers, meanwhile, are advised to periodically audit installed brownser extensions, and remove those not actively used.
People should also be suspicious of extensions that require access to all websites and browsing history, Varonis said.
Browser extensions have lately been subverted by threat actors for malicious purposes.
Earlier this month, security vendor Huntress analysed a malicious browser extension that impersonated the uBlock Origin Lite ad blocker.
Called “CrashFix” by Huntress, the extension intentionally crashes web browsers and tricks users into running malicious commands, including installing a remote access tool (RAT) for domain-joined computers.