The Silent Invader: How to Guard Against Malicious Browser Extensions
By now, most business leaders know about the dangers posed by malware and ransomware and what an existential threat they can be. However, those are far from the only cyber threats businesses must guard against.
For example, one of the most overlooked threats out there is that of malicious browser extensions. These are small browser add-ons that augment the features of popular web browsers like Chrome, Firefox, Edge, and more. In most cases, they are harmless and may even give employee productivity a boost. On the other hand, they can create a backdoor into a business network, allowing the unauthorized access and siphoning of proprietary data.
For that reason, it is incumbent upon businesses to take appropriate action to guard their organizations against what is a stealthy and potent threat. To help, here is an overview of the malicious browser threat landscape and some tips on what businesses can do to stay safe.
The Scale of the Threat
If one were to judge the scale of the threat posed by malicious browser extensions based on the amount of media coverage they receive, it might seem like an afterthought for business IT security specialists. Nothing could be further from the truth. Every few months, the web extension gatekeepers at Google, Mozilla, and Microsoft announce their latest purging of malicious extensions from their online catalogues.
For example, early in 2023, an independent security researcher identified malicious code in a popular Chrome extension called PDF Toolbox. Within weeks, they found similar code in 34 additional extensions within Google’s web store. Google took action to remove the offending extensions only at that point. Worryingly, the malicious extensions had already accumulated a combined 87 million downloads by the time of removal. Even more concerning, it indicated that gatekeepers like Google still had not solved a problem that has persisted for years.
For proof, consider that back in 2020, Mozilla took the aggressive step of banning almost 200 extensions from its Mozilla Add-On Portal. They did so because researchers detected that the extensions were clandestinely running remote code on users’ machines. The threat was so significant that they went a step further and deactivated the already-installed instances of the offending plugins in countless real-world browser copies. In this case, many of the plugins traced back to a firm called 2Ring, a purveyor of B2B software. In other words—the exact kinds of plugins you might expect a business user to trust and download.
What Is at Stake
As it stands, malicious browser extensions are one of the few remaining attack vectors that bad actors can reasonably assume most businesses are not guarding against. Moreover, as more businesses than ever now use browser-based SaaS software for some or all their operations, web browsers have become an appealing target. By slipping a single rogue extension into a device on a business’s network, a bad actor can gain a foothold that provides access to a substantial amount of business data. Additionally, it may give them a position from which to launch a wider attack.
For example, a class of web browser malware discovered late in 2022 created a whole new kind of botnet, dubbed Cloud9. Among other things, the malware allowed its handlers to harvest login cookies, run keyloggers on affected machines, and even execute additional malicious code on them. It is the kind of exploit that can leave a significant portion of an average business’s network vulnerable, depending on the user rights the attacker obtains.
How Businesses Can Guard Against Malicious Browser Extensions
In general, the only ironclad way that a business can prevent its employees from installing a malicious browser extension is by disabling users’ ability to install plugins enterprise-wide. However, this approach would create two major problems. The first is that it would deny employees access to a vast library of truly useful browser extensions. The second is that it would create an administrative nightmare as employees seek exceptions from the IT security staff on an ad-hoc basis.
In lieu of a complete browser extension ban, businesses can employ a multilayered defense against malicious browser extensions. This defense should consist of the following:
1. A Standardized Browser or Browsers
The first step to guarding against malicious browser extensions is to choose and mandate a standard web browser type for all employees to use. This limits the total number of available extensions that could pose a threat. For most businesses, Google’s Chrome browser is the go-to standard browser due to its wide compatibility and speed. If necessary, a secondary browser like Firefox or Edge may be added for workflows or processes that require it.
2. Create a Group Policy Whitelist
Next, business IT security staff must assemble a whitelist of browser extensions that employees may use. This process should be done in consultation with relevant managers and staff. Once the list is complete, each extension should undergo a thorough vetting process. This includes examining the credibility of its developer and conducting threat detection using OWASP ZAP, Burp Suite, or similar application testing software. Then, the completed whitelist may be applied via network-wide group policy.
3. Deploy Endpoint Protection
Even with a vetted list of allowed browser extensions in place, it is still worthwhile to deploy an endpoint security solution capable of monitoring browser extension activity. This functionality is present in most modern business endpoint security solutions. It can serve as an early warning system to alert administrators if an approved extension becomes compromised or if a user manages to install an extension not on the whitelist.
4. Monitor Network Traffic for Suspicious Activity
It is also a good idea for businesses to monitor their network activity for signs of malicious behavior. This may include things like persistent connections to unknown servers, sudden unexplained data transfers, and incoming connections that do not use expected protocols. These can all provide clues to IT security staff that there is a rogue program operating within the business’s secure network perimeter.
5. Invest in Employee Training
Lastly, businesses should add specific training regarding malicious browser extensions to their ongoing employee cybersecurity awareness curriculum. This training should include information on how employees can spot potentially hazardous extensions and the process by which they can request the addition of a new extension to the company whitelist.
Trusted Business Cybersecurity Specialists
With the threat of malicious browser extensions continuing to grow, businesses should act now to get ahead of the problem. Outsource IT is an invaluable ally in the fight. We offer business IT security services as well as managed IT services to help businesses keep their technology infrastructure safe and running efficiently. To learn more, contact one of our knowledgeable account managers to ask how we can help your business protect itself from digital threats of all kinds.