Christmas gift from hackers: 3 Chrome extensions to remove

Twenty infected extensions were activated on Christmas Eve, three of them are very famous and have been downloaded by millions of users also in Italy.

Hackers and cybercriminals are hard workers and don't stop even at Christmas, forcing cybersecurity companies to work overtime. So it happens that cyber threat detection tools start bombarding users (and the companies that developed them) with security alerts. What has happened? Kaspersky Lab explains.

Starting on the morning of December 24, as we were all getting ready to spend one of the strangest and most online Christmas days ever, the Russian company's antivirus intercepted millions of calls to a server trying to download dangerous code. Di conseguenza sono state inviate una marea di segnalazioni agli utenti ma anche alla casa madre, dove gli esperti hanno iniziato a indagare su cosa stesse succedendo. E, in breve tempo, lo hanno scoperto: una ventina di estensioni di Chrome/Edge si erano improvvisamente attivate in giro per il mondo e avevano iniziato a connettersi a quel server. Tutte insieme, senza apparente motivo.

Quali sono le estensioni infette da rimuovere

Kaspersky ha segnalato a Google tutte le estensioni pericolose, ma ha preferito rivelare al pubblico solo il nome di tre di esse. Le più famose: Frigate Light, Frigate CDN e SaveFrom. Specialmente l’ultima è diffusa anche in Italia, perché permette a chi la installa di scaricare video dalle piattaforme di streaming come YouTube e Vimeo, ma anche da Facebook, Twitter e molti altri siti.

In totale le oltre 20 estensioni infette sono state scaricate più di 8 milioni di volte. Because they all triggered at once, there was a boom in the number of reports from the threat detection tool, which made it possible to find the source of the problem very quickly.

Why the extensions are dangerous

All the extensions were found to be infected with a member of the Trojan.Multi.Preqw.gen family of viruses. It is a virus that, in this case, aims to generate fake traffic to certain videos in order to cheat advertising networks.

Users do not see anything, because the player runs in the background, but the computer and the Internet connection are slowed down due to the abnormal traffic generated by the malware. The cleverness of the hackers was to launch this campaign at Christmas time, when many more users are at home with their computers switched on.

This way they could generate many more fake views and at the same time users would think that the connection slowdown was due to high holiday traffic.

What to do if you use these extensions

It is likely that the developers of these extensions are not even aware of what their software is doing right now: it is not uncommon for hackers to use extensions developed by someone else, infecting them, for their own purposes.

In the meantime, though, what should users do? Those who have a good antivirus will most likely have already been warned that something is wrong and, just as likely, the extension will have been disabled automatically. Those who use these extensions but do not have any protection would be well advised to uninstall them, also because it cannot be excluded that they will be used to download and execute more dangerous code in the future.