Two malicious Chrome extensions named Phantom Shuttle have been discovered to have acted as proxies and network test tools while stealing internet browsing and private information from people’s browsers without their knowledge.
According to security researchers from Socket, these extensions have been around since at least 2017 and were present in the Chrome Web Store until the time of writing. This raises serious concerns regarding the dangers associated with browser extensions even from reputable sources.
Analysis carried out by Socket indicates that the Phantom Shuttle extension directs the online traffic of the victims to a proxy setup that is controlled by the attackers using hardcoded credentials. The attackers hid the malcode using the approach of prepending the malcode to a jQuery library.
The hardcoded credentials for the proxy are also obfuscated using a custom character index-based encoding scheme, which could impact detection and reverse engineering efficiency. The built-in traffic listener in the extensions is capable of intercepting HTTP authentication challenges on multiple websites.
Modus operandi
To force traffic through its infrastructure, Phantom Shuttle dynamically modifies Chrome’s proxy configuration using an auto-configuration script. In a default mode labeled “smarty,” the extensions allegedly route more than 170 “high-value” domains through the proxy network, including developer platforms, cloud consoles, social media services, and adult sites.
Additionally, to avoid breaking environments that could expose the operation, the extensions maintain an exclusion list that includes local network addresses and the command-and-control domain.
Since the extensions operate a man-in-the-middle, they can seize data passed through forms such as credentials, payment card data, passwords and other personal information. Socket claims the extensions can also steal session cookies from HTTP headers, and parse API tokens from requests, potentially taking over accounts even if passwords aren't directly harvested.
Mitigation tips
Chrome users are warned to download extensions only from trusted developers, to verify multiple user reviews and to be attentive to the permissions asked for when installing. In sensitive workload environments (cloud admin, developer portals, finance tools), minimizing extensions and removing those not in use can also dramatically reduce exposure to similar proxy-based credential heists.