When we suffer some kind of security-related attack on our computer, we often don’t know where it’s coming from. Now we are going to talk about a Google Chrome extension that is putting your email at risk.
Despite all the years that it has been with us, email-related services continue to be of special importance. This is something that is evident especially in professional environments where we do not want our messages to fall into the wrong hands. Many of you probably have an account, or several, of Gmail, Google’s mail service.
Well, various international security organizations are now warning about the use of a series of extensions that are installed in the Chrome browser. The danger of all this is that they automatically take charge of stealing our Gmail emails, which can become a serious problem. This worldwide attack comes to us through a malicious North Korean group that uses various techniques to carry out cyber espionage. Initially focused on South Korea, the group has over time extended its attacks to the United States and Europe.
It must be said that the security advisory warns about two attack methods used. On the one hand, using malicious extensions that are installed in the Chrome browser. On the other hand, through applications for Android devices. If we take into account that these techniques can be used with anyone, it is important that we be careful.
See if you have installed the malicious extension in Chrome
We must bear in mind that the attack is initially presented through an email that urges the victim to install a malicious Chrome extension. Obviously, this software plugin is also valid for other Chromium-based browsers, such as Microsoft Edge. The extension is called AF, and if we install it, when accessing our Gmail with the infected browser, the extension is automatically activated.
In this way, it takes care of intercepting and stealing the content of our emails. The malicious extension makes use of the browser’s Developer Devtools API. This is how it manages to send the stolen data to the attacker’s server without us noticing. What’s more, for all this you don’t even need to break the security protections of the account itself. At the same time, it is important to know that this is not the first time that this group has used malicious Chrome extensions to steal emails from infected systems.
Therefore, if we have installed the aforementioned extension called AF, we should remove it from our computer as soon as possible. This is something that we can easily verify by simply typing the following in the Chrome address bar:
chrome://extensions
You may also be interested to know that this same attack affects our Android devices and pretends to be a security plugin or a document viewer. In this case, the malware logs into the victim’s Google account, which was previously stolen through emails. The attackers then use the Google Play sync feature. All this to install malicious applications in the terminal.