Two malicious Chrome extensions, “Phantom Shuttle,” were found stealing sensitive user data for years before being removed from the Chrome Web Store, raising concerns about online security.
Security researchers have recently exposed two Chrome extensions, known as “Phantom Shuttle,” that have been stealing user data for years. These extensions, which were designed to appear as harmless proxy tools, were found to be hijacking internet traffic and compromising sensitive information from unsuspecting users. Alarmingly, both extensions were available on Chrome’s official extension marketplace.
According to researchers at Socket, the extensions have been active since at least 2017. They were marketed towards foreign trade workers needing to test internet connectivity from various regions and were sold as subscription-based services, with prices ranging from approximately $1.40 to $13.60. At first glance, the extensions seemed legitimate, with descriptions that matched their purported functionality and reasonable pricing.
However, the reality was far more concerning. After installation, the Phantom Shuttle extensions routed all user web traffic through proxy servers controlled by the attackers. These proxies utilized hardcoded credentials embedded directly into the extension’s code, making detection difficult. The malicious logic was concealed within what appeared to be a legitimate jQuery library, further complicating efforts to identify the threat.
The attackers employed a custom character-index encoding scheme to obscure the credentials, ensuring they were not easily accessible. Once activated, the extensions monitored web traffic and intercepted HTTP authentication challenges on any site visited by the user. To maintain control over the traffic flow, the extensions dynamically reconfigured Chrome’s proxy settings using an auto-configuration script, effectively forcing the browser to route requests through the attackers’ infrastructure.
In its default “smarty” mode, Phantom Shuttle routed traffic from over 170 high-value domains, including developer platforms, cloud service dashboards, social media sites, and adult content portals. Notably, local networks and the attackers’ command-and-control domain were excluded, likely to avoid raising suspicion or disrupting their operations.
While functioning as a man-in-the-middle, the extensions were capable of capturing any data submitted through web forms. This included usernames, passwords, credit card details, personal information, session cookies from HTTP headers, and API tokens extracted from network requests. The potential for data theft was significant, raising serious concerns about user privacy and security.
Following the revelations, CyberGuy reached out to Google, which confirmed that both extensions had been removed from the Chrome Web Store. This incident underscores the importance of vigilance when it comes to browser extensions, as they can significantly increase the attack surface for cyber threats.
To mitigate risks associated with browser extensions, users are advised to regularly review the extensions installed on their devices. It is essential to scrutinize any extension that requests extensive permissions, particularly those related to proxy tools, VPNs, or network functionalities. If an extension seems suspicious, users should disable it immediately to prevent any potential data breaches.
Additionally, employing strong antivirus software can provide an extra layer of protection against suspicious network activity and unauthorized changes to browser settings. This software can alert users to potential threats, including phishing emails and ransomware scams, helping to safeguard personal information and digital assets.
Ultimately, the Phantom Shuttle incident serves as a reminder of the dangers posed by malicious extensions that masquerade as legitimate tools. Users must remain vigilant and proactive in managing their browser extensions to protect their online privacy and security. As the landscape of cyber threats continues to evolve, staying informed and cautious is crucial.
For further information on cybersecurity and best practices, visit CyberGuy.com.