back to article Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm

Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google's store. The researchers said they have been tracking a "massive …

  1. TeeCee Gold badge
    Facepalm

    Maturity.

    Once upon a time, all your work was done with applications running on an O/S. Many times it was found that weaknesses in the O/S permitted the underhand installation of nasty things that could compromise your applications. Over many years O/S security was improved until such things became, largely, a thing of the past.

    Then we moved all your work into the browser...(!)

    Rinse, repeat ad nauseum.

    See also: Failing to learn from your own mistakes / Who could possibly have seen that coming? / etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maturity.

      The quote you wanted: "Only a fool learns from his own mistakes. The wise man learns from the mistakes of others."

      1. Anonymous Coward
        Anonymous Coward

        Re: Maturity.

        Then what do you call a person who doesn't learn from ANY mistakes: his own or others?

        1. JimboSmith

          Re: Maturity.

          Then what do you call a person who doesn't learn from ANY mistakes: his own or others?

          Trump?

          1. Charles 9
            FAIL

            Re: Maturity.

            Still, it springs to mind the old "give a man a fish" proverb. Problem becomes, how do you teach a man to fish when that man is THAT stupid, as in "teach this man to fish, he'll starve to death on the pier a month later with the rod still in his hands"?

        2. Anonymous Coward
          Anonymous Coward

          Re: Maturity.

          A Party

    2. Potemkine! Silver badge

      Hegelian World

      Hegel told us two centuries ago that "the only thing we learn from History is that we do not learn from History". This is also true for IT

    3. big_D

      Re: Maturity.

      99% of our work is still on local applications.

  2. Anonymous Coward
    Anonymous Coward

    "things like signs of uploads going to rare or known bad destinations"

    «The story begins with some heuristic malware detection by Awake, looking for things like signs of uploads going to rare or known bad destinations. This led them to a bunch of malicious browser extensions, 111 in total, which "were found to upload sensitive data or not perform the task they're advertised to perform (generally, they surveil user activity and device properties."»

    Hang on, that's just a description of Google Chrome itself… :-P

  3. Anonymous Coward
    Anonymous Coward

    Wot! Someone other than Google spying on Chrome Users?

    Shirley... that can't be true.

    Good job that Chrome is banned in my home as are some 300+ Google owned domains.

    Posting AC for obvious reasons.

  4. Jurassic Hermit

    Which Extensions?

    Does anyone have a list of the 111 extensions? The report only lists an ID number which means nothing to most of us.

    Thanks in advance.

  5. Anonymous Coward
    Anonymous Coward

    Random?

    I like how the random sponsored link at the end of the article was (for me) "How to Thrive in the Digital Economy". I read it as "how to thieve".

    That is all.

  6. Anonymous Coward
    Anonymous Coward

    Typical behaviour from israel

    1. Anonymous Coward
      Anonymous Coward

      Allegedly the best spies in the world.

      1. NetBlackOps

        Being surrounded by enemies breeds excellant spies, e.g. Poland and a certain Enigma device.

        1. Tom 7

          Alfred the Great was surrounded by enemies so he made them his friends.

  7. Anonymous Coward
    Anonymous Coward

    parked domains

    "From those that are with Galcomm, almost all are parked domains, mostly with the largest domain parking companies worldwide."

    Moshe may be on to something here.

    Read this article that explains about more malicious toolbars that direct users to parking domains that bypass adblock to run the RIG exploit:

    https://threatpost.com/malvertising-ad-blockers-mac-malware/146861/

    I am not defending Galcomm here because I know from experience how futile it is when trying to report malious sites.

    (Most all the malicious sites I have tracked lead to GoDaddy or NAMECHEAP and ocassionally OVH)

  8. chivo243 Silver badge
    Thumb Up

    Timely report

    I've been trying to get my shop to manage our users extensions, it has had a bit of push back. However we have found that bad extensions are 99% of the problem with Google Meet and Google apps. I know some colleagues read El Reg, this report will catch their eye. Maybe we can move forward now.

    1. Roland6 Silver badge

      Re: Timely report

      Yandex has been surprisingly quiet about what it has been up to...

      Back in 2015 Yandex brought out Agnitum with the intention of integrating the Agnitum security software into the Yandex browser.

  9. IGotOut Silver badge

    Phew..

    ...thank goodness Google would do anything as stupid as trying to hide installed extensions.

  10. sitta_europea Silver badge

    I once tried to get both ICANN and Nominet interested enough in the criminal activities which they facilitate to do something about it.

    What a waste of time that was.

  11. USER100

    Stop the press

    Surveillance campaign linked to Israelis...

    In other news, 'Bears Defecate In Woods', 'Pope is Catholic'

    Plus shocking expose: 'Earth Is Not Flat!'

    1. Michael Habel
      Alien

      Re: Stop the press

      Plus shocking expose: 'Earth Is Not Flat!'

      Yeah really, go pull the other one. Next you'll try and, tell us that, they sent men to the Moon some 50 long years ago. When we are still incapable of breakikng free form low earth orbit.

  12. docogih272
    Mushroom

    PiHole Galcomm Blocklist

    I made thread. https://www.reddit.com/r/pihole/comments/hbrvx0/galcomm_israeli_isp_spying_blocklist_request/

  13. YetAnotherJoeBlow

    ahem...

    I know some guys that - lets just say they are very flexible on who they work with - tell me that it has never been easier to pwn networks, phones, IOT, or any endpoints for that matter. While I work in embedded and know what a crap shoot it is, if people actually saw what these guys do, they would never bank or pay with a phone. I don;t. Once they have your phone, they are into everything you are into. The sky isn't falling, it already fell.

  14. amanfromMars 1 Silver badge

    From Acorns do Great Oaks Grow

    Rogue access to the browser therefore frequently means rogue access to the 'keys to the kingdom'

    Oh please, don't be so diffident. Rogue access to the browser always means rogue access to the 'keys to the kingdom'.

    The abiding crushing problem to resolve and address though is what to do better with the information phished once the riches revealed are accessible and vulnerable to disappearance/export and import to elsewhere.

  15. Potemkine! Silver badge

    Awake said its threat researchers "made several attempts to contact Galcomm by phone, email (abuse@, security@, and support@), and the contact form on their website

    Moreover, Awake have not even asked for our quote or response on that issue before publishing a report. I got the domains in question via a third party who was asking me about this.

    So El Reg, who is the liar?

    1. Dave314159ggggdffsdds Silver badge

      Hmm, let me see, could it be the 'researchers' spreading old fashioned antisemitic conspiracy theories?

      This is some nasty shit for the reg to be publishing.

  16. amanfromMars 1 Silver badge

    Pot Kettle Black Calling ....

    Hmm, let me see, could it be the 'researchers' spreading old fashioned antisemitic conspiracy theories?

    This is some nasty shit for the reg to be publishing. ...... Dave314159ggggdffsdds

    Crikey, Dave314159ggggdffsdds, that seems more like your forte. Count yourself lucky El Reg don't think it so.

    1. Dave314159ggggdffsdds Silver badge

      Re: Pot Kettle Black Calling ....

      Have a look at the comments here. The dog whistles were heard by the antisemites, who have piled on.

  17. wolfetone Silver badge
    Coat

    Ah, those Israelis. Up to no good as usual.

    1. J. R. Hartley

      Scum of the earth a chara

  18. Anonymous Coward
    Anonymous Coward

    Please include Chromium's builtin PDF viewer

    I've been having some trouble with my home machine running slowly (mostly it's just old). Chromium especially crawls in certain cases, even with Adblock Plus on and running. Checked Chromium's task manager, and found two entries with the names of advertising sites listed under the PDF viewer! I did have one PDF open, but that shouldn't allow connections to sites that Adblock Plus should be blocking. Disabled the built-in viewer, and that seems to have solved that. (But still slow. Alas.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like