Chrome Extensions Hijack User Data with Malicious Code

Two malicious Chrome extensions called Phantom Shuttle have been discovered in the Chrome Web Store, posing as legitimate tools for proxy services while secretly hijacking user data. According to research from the Socket supply-chain security platform, these extensions have been active since at least 2017 and remain available for download at this time.

Targeting users in China, including foreign trade professionals who require reliable connectivity tests, Phantom Shuttle is marketed as a subscription-based service ranging from $1.40 to $13.60. Both extensions share the same developer name and are presented as tools to proxy traffic and evaluate network speed.

How the Extensions Operate

The Socket.dev researchers found that Phantom Shuttle reroutes all user web traffic through proxies controlled by the malicious actor. This nefarious activity is facilitated by hardcoded credentials hidden within the legitimate jQuery library, employing a custom character-index encoding scheme to obscure the data theft functionality. The extensions also utilize a web traffic listener that intercepts HTTP authentication challenges across various websites.

To facilitate the automatic routing of user traffic through the attacker’s proxies, the extensions dynamically adjust Chrome’s proxy settings using an auto-configuration script. In the default “smarty” mode, they direct traffic from over 170 high-value domains through their proxy network. These domains include popular developer platforms, cloud service consoles, social media sites, and adult content portals. Notably, local networks and the command-and-control domain are excluded from this routing to avoid detection.

While servicing as a man-in-the-middle, Phantom Shuttle can capture a wide array of sensitive data, including credentials, credit card details, passwords, and personal information. The extensions can also extract session cookies from HTTP headers and API tokens from user requests, significantly compromising user privacy and security.

Response from Google and User Recommendations

The security concerns raised by Socket have prompted inquiries to Google regarding the continued presence of these extensions in the Web Store. As of now, there has been no immediate response from the tech giant. Users of Chrome are advised to exercise caution when installing extensions, prioritizing those from reputable publishers, reviewing user feedback, and carefully considering the permissions requested during installation.

The ongoing presence of Phantom Shuttle highlights the critical need for users to remain vigilant about the tools they incorporate into their browsers. As cyber threats continue to evolve, ensuring the security of personal data has never been more important.