Malicious Chrome Extension Harvests Personal Data from Social Media Sites

Bleeping Computer founder Lawrence Abrams discovered a malicious Chrome browser extension named Browse-Secure that promotes itself as a way to make browsers “safe” but, when installed, it connects to a remote server and then harvests personal information from the unsuspecting user’s Facebook and LinkedIn accounts. Browse-Secure uses the rules contained in an included JSON file to crawl these social media pages and extract data such as names, dates of birth, gender, addresses, email addresses, and mobile phone numbers. This data is then transmitted back to the remote server. Although it is currently unknown how the developer intends to use this data, it is likely that it could be used to further target users in spear-phishing campaigns or other social engineering schemes. The NJCCIC recommends users who have downloaded the malicious Chrome extension uninstall it immediately and be on alert for spear-phishing and other social engineering attempts that incorporate the information harvested from profiles. Also, we recommend exercising caution when installing browser extensions and reading reviews prior to installation to see if other users reported a negative experience. Network administrators may want to consider blocking inbound and outbound connections to known C2 IP addresses and domains. More information about this malicious extension, including indicators of compromise, is available on Bleeping Computer.