Malicious Chrome Browser Extensions

Recently, a security research team discovered that the “Phantom Shuttle” extension for the Chrome browser was actually a malicious plugin that was implemented a sophisticated “man-in-the-middle” attack with the ability to steal user authentication credentials, credit card and other payment information, complete user browsing history, and other personally identifiable information submitted via online forms.

The Phantom Shuttle plugin was marketed as a “multi-location network speed testing plugin” and charged a subscription for the “services” provided. Features of the plugin included smart proxy management, multi-node switching, real-time speed monitoring with automatic ping tests, and customizable domain lists and the plugin was primarily intended for web developer usage. The plugin featured a professional appearing interface as well.

Fortunately, the installed user base of this plugin (there are actual two plugins which share the same name) is quite small and apparently geographically limited to Asia; even so, it highlights the need for us all to diligently evaluate software we install on our devices. While this plugin was rather well executed and presented few, if any, outward signs of danger, we should all be wary of installing software that has a small userbase, is provided by a developer(s) without extensive history of providing quality software, or is simply software we really don’t need.

The “Phantom Shuttle” extension has been available in the Chrome extension repository for at least 8 years.