New report implicates domain registrar in massive ring of malicious Chrome Extensions

Another day, another cartload of random Chrome Extensions removed from the Web Store due to malicious activity. Only this time, the extensions may have more in common than meets the eye. Unlike many mass extension removals that share similar types of attacks or multiple extensions that all have the same developer behind them, the latest batch of rogue apps from the Chrome Web Store have all been traced back to a single, increasingly questionable domain registrar company in Israel that goes by the name GalComm.

The report that resulted in the removal of more than 100 Chrome Extensions originated from Awake Security. The company specializes in identifying online threats and uses AI to track a wide range of factors with the goal of detecting malicious software and the traits that those ever-evolving threats present. Using their “brain-mimicking” AI, Awake identified more than 100 extensions that were linked to “attack campaigns” of more than 15,000 associated domains.

Awake uncovered 15,160 domains tied to exploitive landing pages, malicious chrome extension command and control, and
related malware. 111 fake and malicious chrome extensions associated with these attack campaigns were harvested in the wild
from enterprise networks in only the past three months. These extensions were performing operations such as taking screenshots of the victim device, loading other malware, reading the clipboard, and actively harvesting tokens and user input

Awake Security

While malicious extensions are nowhere near uncommon, the cases are usually quite isolated with specific intents such as snagging user’s private keys, crypto wallets, site credentials, or what have you. As unnerving as those may be, this discovery by Awake Security hints at something on a much grander scale and is the reason for a manageable amount of alarm. The thousands of domains liked to these various types of attacks all resolve back to the GalComm registrar and Awake is convinced that the ICANN accredited company is involved directly with the misdoings.

As you will see in this report, this registrar, who also maintains a Registrar Accreditation Agreement with ICANN, is responsible
for putting far more malicious domains, malware, and exploitative content on the internet than legitimate content. We believe
the research and analysis summarized in this report proves that GalComm is at best complicit in malicious activity.

Shop All The Latest Chromebook Deals

GalComm has also been connected to three other web hosting and mobile app solutions companies. Two of which have been known for mass typo-squat attacks targeting a large number of Google-specific domains. This information doesn’t necessarily place GalComm as the triggerman for the malicious sites and extensions but the lack of response from the company and the fact that none of the sites appear to be removed indicates that the registrar is at minimum aware of the activity. Regardless of the company’s involvement, this issue raises a red flag that I hope Google will address moving forward. Chrome is the world’s most widely used browser and Chrome OS is quickly gaining users by the droves. The Chrome Web Store needs to be policed more than ever and I think it’s time that Google took the time to give the extension shop a major overhaul before millions of unknowing users fall victim to something disastrous.

The good news, for now, is that Google has removed the offending extensions and Awake continues to scan the web for these types of threats. If you’d like to read the full report from Awake Security, you can request a copy by heading to the company’s website here.