Massive browser hijacking campaign infects 2.3M Chrome, Edge users – Source: go.theregister.com

A Chrome and Edge extension with more than 100,000 downloads that displays Google’s verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also hijacks every browser session, tracks activities across websites, and backdoors victims’ web browsers, according to Koi Security researchers.

Color pickers let users select any color from a website and copy it into a clipboard for later use – helpful for designing apps, websites, and the like. This particular extension from Geco is still available for download via both Microsoft’s and Google’s respective stores at press time. Neither company responded to The Register‘s inquiries, but we will update this story if that changes.

The Geco extension has more than 800 reviews on the Chrome Web Store, 4.2 stars (out of 5), and “featured” placement. Microsoft’s Edge Add-ons shows similarly glowing write-ups from its 1,000-plus users, and it looks like a perfectly safe extension.

“This isn’t some obvious scam extension thrown together in a weekend,” said Koi Security analyst Idan Dardikman in a Tuesday blog. “This is a carefully crafted Trojan horse.”

The Register also reached out to the developer for comment but did not receive a response.

The Geco color picker, according to Koi Security, is “just the tip of the iceberg,” and part of a much larger browser-hijacking campaign dubbed RedDirection. The campaign consists of 18 malicious extensions spanning both Chrome and Edge stores that all share the same snooping capabilities. All 18 extensions are listed at the bottom of this story. 

“Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we’ve documented,” Dardikman wrote.

• Netflix, Apple, BofA websites hijacked with fake help-desk numbers
• Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets
• Chrome users – get an alert when extensions are in danger of falling into wrong hands
• Suspected Scattered Spider domains target everyone from manufacturers to Chipotle

The extensions offer all sorts of capabilities: emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers (useful if your employer, school, or government blocks the popular video site). But in addition to providing these legitimate functions, they secretly surveil users’ web browsing activity, capturing URLs, sending this info to a remote attacker-controlled server along with the victim’s unique tracking ID, and even redirecting people’s browsers if instructed, according to the researchers.

What makes this even sneakier — and likely explains the Google verified badge — is that these extensions weren’t laced with malware from the start.

According to Dardikman, the code started out clean and sometimes remained that way for years before the malware was introduced during version updates. “Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently for over 2.3 million users across both platforms, most of whom never clicked anything,” he said.

If you’ve installed any of the extensions listed below, uninstall now, clear your browser data, and keep an eye on your accounts for any suspicious activity.

“No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware,” the blog warns. ®