The Chrome Extension That Steals Credit Card Numbers

A Chrome extension is stealing your credit card details with you knowing, do you have it installed on your device?

A Chrome extension, that is currently still available on the Chrome Web Store steals card information from online payment forms visited by infected users.

The browser extension has been active since February 2018, and was discovered by security researchers ElevenPaths. The extension cannot be publicly searched through the Google Web Store. The only way that it can be accessed is through the link that the malicious users utilise to spread the extension; which is achieved through the injection of JavaScript onto websites that redirect users to download the extension.

The malicious extension is named “Reader Flash”, when a user visits a website that the JavaScript has been injected into, the webpage detects the browser, and redirects them to a page which demands they download the “Reader Flash” extension.

ElevenPaths conducted analysis into the extension, identifying that once the extension is installed, it exploits the API functionality “webRequest.onBeforeRequest” to intercept the users form submissions.

The extension regularly monitors the entry of payment card details through implementing regular expressions in their code. Such as: “vvregex” for Visa, and “mcregex” for Mastercard.

Source: ElevenPaths

ElevenPaths noted “That is, in case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request. In particular, it uses the “sendFormData” function, which contains the base64-encoded end URL.”

Base64: aHR0cDovL2Zic2dhbmcuaW5mby9jYy9nYXRlLnBocA==

Decoded: hxxp://fbsgang.info/cc/gate.php

This extension has been installed 400 times; however due to the extension only being available to download via the malicious user spreading the link themselves, the spread has not been huge. This simple extension takes advantage of a single API call, showing how simple it is for malicious users to retrieve and exfiltrate personal data.

SUBSCRIBE TO OUR NEWSLETTER

Have all of the latest Cyber Security news sent directly to your inbox, FREE of charge.

Share This Post:

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on reddit
Share on whatsapp
Share on email

Never Miss A Post

To receive updates about the latest posts from InfoSec-IT please use the form below.

Recent Posts

Do NOT follow this link or you will be banned from the site!