Malicious browser extensions can steal credentials, cryptocurrency, and more

From blocking ads and coin miners to saving news stories for later reading, browser extensions allow users to customize their web browsers for convenience, efficiency, and even privacy and security – usually for free. However, browser extensions need a wealth of access permissions to operate, including things like browsing history, website content, even login credentials. Because extensions aren’t applications in their own right – they run inside web browsers – antivirus software generally cannot detect malicious extensions. These innate vulnerabilities, along with their popularity, make browser extensions a very attractive target for cyber criminals, who attack on two fronts, by developing their own, malware-infested extensions or by hijacking legitimate extensions.

Born to be bad: malicious browser extensions

Some extensions are designed to be malicious. Most of the time, they seek to steal login credentials and other sensitive information. For example, a Medium blogger recently reported on a malicious Google Chrome extension called “CCB Cash,” which purported to give users up to 5% cash back on all of their cryptocurrency transactions. In actuality, CCB Cash did nothing but steal login credentials and cryptocurrency. Google has since removed CCB Cash from its extension store, but not before the hackers behind it managed to make off with 23.23550279 BTC, or a little over $81 million.

Other malicious extensions install adware that redirects user searches to affiliate pages that the developers earn money from; a variant on this scheme replaces legitimate search engine ads with affiliate ads. Sometimes, extensions will redirect users to phishing sites or sites that contain drive-by downloads.

CCB Cash, with its outrageous promises of 5% cash back on practically everything, was an excellent example of the old adage, “If it sounds too good to be true, it probably is.” However, not all malicious browser extensions display obvious red flags. Just like malicious mobile phone apps, many of them disguise themselves as legitimate tools, such as a PDF reader or a VPN. The malicious extension may also impersonate a popular legitimate extension, even going so far as to stuff keywords so that their extension appears near the top of the browser’s extension store. Last year, over 20 million users installed phony ad blocker Chrome extensions before Google removed them.

Good extensions gone bad

Sometimes, hackers don’t bother coding their own extensions; they just hijack legitimate ones. There are several ways to accomplish this:

• Use a phishing scheme to take control of the extension store accounts belonging to developers of legitimate extensions, add malicious code to the extensions, and push an update through. In 2017, hackers used this method to hijack the popular Google Chrome Web Developer extension and turn it into adware.
• Take control of a popular extension legitimately, by purchasing it from the developer, add malicious code, and push an update through. This is how users of the popular Chrome extension “Add to Feedly” suddenly found themselves inundated with pop-ups and other affiliate ads.
• Utilize malicious code embedded on a website to compromise the API of a vulnerable browser extension, as reported in a research paper published this month.

A new trojan called Razy, which spoofs searches to steal cryptocurrency, ups the ante by compromising the browser itself, installing malicious extensions, then infect already installed, legitimate extensions by disabling browser updates and extension integrity checks.

Protecting yourself from malicious extensions

There are a few ways to protect yourself from malicious browser extensions:

• Only install extensions you actually need and will use.
• Periodically review your installed extensions. Uninstall extensions that you no longer use or that you do not recognize.
• Vet extensions before you install them. Visit the developer’s website. Read the description and the reviews. Beware if the description is riddled with spelling and grammar errors, or if the extension is relatively new but has a lot of reviews, every single one of them five-star and very similarly worded.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

The 5 top healthcare cyber threats, according to the U.S. Department of Health & Human Services’ new guide

The financial impact of healthcare cyber attacks can be devastating, especially to small organizations. The HHS points out that the healthcare industry has the highest data breach cost of any industry, at an average of $408 per record and $2.2 million per organization. In 2016, the healthcare industry as a whole lost $6.2 billion to data breaches.

Noting that healthcare cyber security is “the responsibility of every health care professional, from data entry specialists to physicians to board members,” the U.S. Department of Health and Human Services (HHS) has published Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). The four-volume publication, which was mandated by the Cybersecurity Act of 2015, is aimed at hospital executives and cyber security professionals in healthcare organizations of all sizes and leverages the NIST Cybersecurity Framework. It outlines what the agency considers to be the most common healthcare cyber threats and recommends best practices to mitigate them.

Email phishing

The overwhelming majority of successful cyber attacks begin with a phishing scheme. Business email compromise (BEC), a highly targeted spear phishing technique, is responsible for over $12 billion in losses globally. Although many people still equate phishing with emails, this healthcare cyber threat has evolved, with hackers employing text messages, phone calls, and even social media “quizzes” to trick unwitting victims.

Ransomware

While cryptojacking is now the most common type of malware, ransomware is still a significant healthcare cyber threat, primarily because of the time-sensitivity of the information processed and stored in healthcare data environments. One-quarter of SamSam ransomware victims are in the healthcare sector. Authorities believe the SamSam hackers have earned over $6 million from their malware.

Loss or theft of hardware

Mobile devices, such as laptops, tablets, and smartphones, have opened up the world of remote work. In the healthcare industry, mobility makes electronic health records feasible; healthcare providers can access patient data from anywhere. However, these devices also present a major healthcare cyber threat, as they are easily lost or stolen. Even if a device is ultimately recovered, PHI and other sensitive information may have been compromised.

Insider, accidental, or intentional data loss

Insider threats exist in every organization, and there are two types: accidental and intentional. Intentional insider threats, which involve purposefully malicious behavior, represent the minority of cases. However, even an accidental insider healthcare cyber threat – an employee being tricked into clicking on a phishing link or sharing their password “just this one time” – can result in a ransomware attack, a data breach, or other cyber attack.

Attacks against smart medical devices

Smart devices are proliferating like rabbits, but a lack of common security standards means many devices suffer from serious security vulnerabilities. The proliferation of medical IoT devices has given hackers a much broader attack surface on which to target healthcare organizations. Recognizing the severity of this healthcare cyber threat, NIST has released a guide for securing medical IoT devices, SP 1800-8. While SP 1800-8 specifically addresses infusion pumps, the guidelines can be applied to the entire medical IoT ecosystem.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

These common cyber security mistakes could get your company hacked.

With an estimated 90% of cyber attacks caused by human error or behavior, it’s important to understand the most common cyber security mistakes your employees are probably making and know how to mitigate them.

Becoming victims of phishing schemes

Stolen login credentials are the most common way hackers breach enterprise systems, and most of the time, these credentials are stolen through a phishing scheme. A highly targeted variant of phishing, called spear phishing or business email compromise, is used to convince employees to wire money or send sensitive data, such as W2 information, to cyber criminals.

Avoid having your employees make this cyber security mistake by educating them about the warning signs of a phishing scheme. Organizations must also establish policies against sending sensitive data through email, ensure that employees have access only to the systems and data they need to do their jobs, and add redundancy into payment approval processes, especially wire transfers.

Mistakes involving login credentials

This is a broad category of cyber security mistakes that includes:

• Using weak passwords
• Not using multi-factor authentication whenever possible
• Reusing passwords
• Sharing login credentials
• Writing credentials down and leaving them in public areas, such as sticky notes in the work area
• Leaving a terminal unattended without logging out first

Most of these security mistakes can be avoided through employee education on the dangers of not keeping login credentials secure. Organizations can also employ technical measures to force login sessions to automatically time out when a terminal is inactive, require the use of MFA, and automatically generate strong passwords.

Using shadow IT software and services

Over three-quarters of employees admit to using shadow IT software and services at the workplace. Most of the time, their intentions are not malicious. They are simply trying to do their jobs better, and they do not realize how dangerous shadow IT can be to security and compliance. Employee education is the best way to head off this security mistake. Technical tools can also be employed to ferret out shadow IT apps.

Inserting “mystery” devices into workplace computers

A common social engineering tactic is for hackers to leave USB thumb drives and other plugin devices in public areas where employees will find them. Sometimes, the devices will have labels meant to entice employees to want to covertly access them, such as “Q4 Performance Reviews” or indicating that the device contains pornographic content. Employees must be educated about the dangers of making this security mistake.

Making security mistakes when using public WiFi

Free public WiFi networks are ubiquitous, found everywhere from fast-food restaurants to aboard trains. Remote workers and employees who frequently travel for business often take advantage of public WiFi to work on the go. As with shadow IT apps, this is usually because of a security mistake, not maliciousness or negligence; employees don’t realize how dangerous public WiFi is. In addition to educating employees on best practices when accessing public WiFi networks, organizations should provide VPN access to all employees who work remotely.

Not protecting computers and other IoT devices

This security mistake involves physical protection as well as password protection. In a recent survey, over half of working adults admitted to allowing friends and family to access devices given to them by their employers. Employees who travel for work may also leave devices unattended in public areas or hotel rooms or allow strangers to “borrow” their smart phones.

Employees who travel need to be educated about best cyber practices when traveling. Organizations should ensure that these employees’ devices are protected with strong passwords, multi-factor authentication, or a biometric lock. If possible, have disposable phones and laptops on hand to loan to employees for travel purposes. If an employee must travel with a device that contains sensitive data, make sure the device is encrypted.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.