web analytics
Home » Technology » The browser extension allows hackers to ‘steal’ emails undetected

The browser extension allows hackers to ‘steal’ emails undetected

Security researchers are now warning about malware hiding in browser extensions and snooping in emails from Gmail and AOL. Behind it is a hacker group from North Korea that aims to steal sensitive data. This comes from a report by Hacker News. The North Korean regime-backed threat group known as Kimsuky uses a malicious browser extension to eavesdrop on their victims’ emails.

The security researchers had discovered that Volexity and this campaign called Sharpext. The hackers target Chromium-based browsers, such as Google Chrome, Microsoft Edge, and Whale. For these browsers, the hackers have developed manipulated extensions that open a back door to the email accounts of their victims’ attackers.

However, these extensions are not just made available for download to hit random victims. The hackers specifically use the extension on computers they already have access to. The add-on is then installed by replacing the browser’s “Preferences” and “Secure Preferences” files. The extension’s execution is obfuscated via developer mode.

Spying on AOL and Gmail accounts

The attackers use a modified VBS script to compromise the victims’ AOL and Gmail accounts. A malicious extension is then installed in the background. “The malware inspects and filters data directly from the victim’s webmail account as the user browses it,” Volexity researchers explain. “Since its discovery, the extension has evolved and is currently in version 3.0, based on the internal version control system.”

The malicious extension has now learned to evade detection. During the attack, the extension waits for the victim to log in to the email account. This way there is no access by strangers from unusual locations that could trigger the email provider’s security mechanisms. This way you won’t get any warnings about suspicious activity and the hackers can read emails undisturbed, steal data or even use the accounts to send malware.