It has been reported that a newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools. Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date. Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely. It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.
Spyware, or other malware, finding its way into software repositories is a known risk. Indeed, this is simply an unfortunate by-product of a software development ecosystem that chooses to relax the rules in favour of greater quantities of software offerings. There is no doubt then that malicious actors will take advantage of this to distribute malicious code.
Users also need to be aware of the software they use. This includes, not only main assets such as Office or the Chrome Browser, but also the extensions that are installed with those assets. These are all a part of the inventory list of software-used and should therefore, be tracked and handled appropriately. More importantly, users should never install ‘untrustworthy’ software. In order to know whether the software is or is not trustworthy, it is important that you do your research. Who is the developer? What does the software do? Where is the data going? What can the software access? Are the software extensions well-maintained? Are there any existing vulnerabilities to be wary of? Unfortunately, may often do not spend enough time doing this research. This is a habit that then carries over into the work environment and puts organisations at risk.
Companies should be aware of this and enforce strict, but otherwise simple rules. For example, “do not access banking details from the same computer where you read your emails”. In other words, employees in accounting should be given a specially hardened computer with no other functionalities other than to complete their accounting and banking tasks. Answering emails and browsing the web can be conducted on another computer. While organisations may incur additional costs in order to offer extra computers, the cost is significantly cheaper than if they were to fall victim to a cyber-attack.