GOOG GRIEF!
Google users warned of ‘sneaky shapeshifting’ attack that raids your bank and logins and it’s almost impossible to spot
It uses clever tricks to hoodwink you
GOOGLE users are being warned over a "sneaky" attack that lets criminals steal your passwords – and potentially your money too.
It affects Google Chrome users, and uses clever tricks to keep you from spotting the problem.
4
Google has been warned about the attack by SquareX Labs, the security company that found it.
The attack reportedly works using Google Chrome extensions, which are a popular way to upgrade your web browser.
Criminals will submit their "malicious" extension into the official Chrome Web Store.
The extension could be anything and – importantly – will perform the job you've downloaded it for.
Read more on Google
SquareX says that you'll usually be tricked into downloading it through "social engineering tactics".
For instance, you might be told on social media that it's a great app.
So you'll follow a link to the Google Chrome Web Store and download the extension.
YOU'RE HACKED!
Once it's on your system, it'll choose another of your extensions, disable it, and then pretend to be that one.
Most read in Tech
SquareX says it will "silently impersonate" the extension so that you wouldn't notice anything has gone wrong.
And it can use that extension to feed your info back to crooks.
Deepfakes more ‘sophisticated’ and dangerous than ever as AI expert warns of six upgrades that let them trick your eyes
That potentially includes access to logins, which could grant criminals access to your financial accounts.
"Imagine your AI transcriber tool shapeshifts into your password manager," SquareX explained.
"Then your crypto wallet, and finally into your banking app – all without your knowledge."
Even the app's logo will be stolen, with the malware creating "a pixel-perfect replica of the target's icon".
4
All the while, the legitimate extension is blocked from running at all.
"[It] even temporarily disables the legitimate extension," SquareX warned.
"Making it extremely convincing for victims to believe that they are providing credentials to the real extension.
"These credentials can then be used to access all the sensitive information, credentials and financial assets stored in the victim's account."
4
So when you're entering info into the fake extension – which might be a password manager – those details can be fed straight to criminals.
And they can use that info to conduct more serious attacks, including stealing all of your logins, and possibly your money.
SquareX compared it to having "full access to the kingdom", and warned that it's "extremely powerful".
HOW TO STAY SAFE
The bad news is that SquareX says that the problem is difficult for Google to fix.
WHAT CAN THE HACK DO?
Here's what SquareX says the dodgy extensions can do...
- Unauthorized transfer of cryptocurrencies using crypto wallets
- Unauthorized transactions using banking apps
- Unauthorized access to monitor, write and send confidential documents/ emails with productivity tools (e.g. grammar checkers, automation tools)
- Unauthorized access to read and modify code base via developer tools
Picture Credit: Google
"Unfortunately, given that the attack exploits a legitimate functionality in Chrome, this attack cannot be solved by patching the browser," SquareX warned.
"We have, however, written to Chrome for responsible disclosure.
"We also recommended Chrome to ban abrupt extension icon and HTML changes.
"Or implement user notifications in any such event to avoid impersonation attacks from happening."
4
You can help to protect yourself by avoiding installing extensions that you're seeing being shared on social media.
Read More on The Sun
It's best to stick to highly reviewed and well-known extensions to stay safe.
The Sun has asked Google for comment and will update this story with any response.
Topics