Malicious Browser Extensions Contribute to Insider Threats
Network administrators have a unique challenge of providing users with an efficient working environment that also protects against threats to network security. Most administrators block random installations, but this can be a problem when users need to customize their desktops to work productively in the way that they prefer. This customized environment includes the ability to add browser extensions, but these small programs can lead to unintended malware installed on the user’s desktop.
Some extensions are impossible for the average user to remove.
A recent issue was a hard-to-remove extension. The extension doesn’t seem to harm the local computer, but it is set up to randomly click YouTube videos to overinflate the number of views seen on a user’s YouTube channel. The extension — named Tiempo en colombia en vivo — was installed 11,000 times before Google removed it from its website. Tests done by Malwarebytes show that it’s persistent and written to avoid removal.
The discovery comes only a few weeks after the popular Change HTTP Request Headers extension was found to have malicious code embedded in it. This plugin had 500,000 downloads and was coded to visit advertising sites as part of a scam to earn click rewards through pay-per-click advertisers.
Both Tiempo en colombia en vivo and Change HTTP Request Headers silently accessed the web when user desktops were connected to the Internet. Although their activities were to artificially inflate web activity, because the code runs on the local machine other types of activity are possible. Some extensions steal data input, which makes them a part of insider threats should a user type credentials to the web while having the extension installed.
Insider threats are a growing concern for corporations.
Insider threats take up a large percentage of common cyber security issues for the enterprise environment. In 2017, three main ransomware attacks caused outages across the globe when users installed software or ran malicious scripts on their machines. Particularly, Bad Rabbit’s initial vector was alerting users that they needed to update Flash to view website content. Users then downloaded the software and willingly installed the drive-by malware.
Recent ransomware attacks started from users installing malware.
All three ransomware attacks last year — WannaCry, NotPetya and Bad Rabbit — started their attacks from users installing malware. NotPetya was particularly nasty because its aim was to encrypt the master boot record of the user’s hard drive with no way to recovery. Data was lost contrary to the other two ransomware motives, which was to make money on ransom fees after the user’s hard drive was encrypted.
In 2018, it’s now more important than ever to take strong precautions to protect the local network from insider threats. Not all vulnerabilities come from negligence. They also stem from corporate espionage campaigns or disgruntled employees with malicious intent. These types of threats are difficult to defend against because you’re not looking for an outsider hacking attempt. Instead, you need to defend and monitor from users that have legitimate access to network resources.
How to mitigate insider threats to network security.
You can implement high-level permissions on desktops disallowing any installations, but this is difficult to do when users need access to install preferred tools. One way insider threats propagate is when users leave their desktops unlocked and an attacker is able to access their computer while they’re away. When this happens, saved passwords only further exacerbate the problem.
GateKeeper takes away virtually all threats from intruders gaining access to local machines and web passwords (such as banking and social media logins) from unlocked desktops. It also stops social engineering attempts when attackers are able to gain access to the physical location and find unlocked desktops within the enterprise. If you don’t have defenses against insider threats, it’s time to take precautions.
See GateKeeper Enterprise in action
Take a self-guided tour of GateKeeper Enterprise, the proximity-based centralized access control for secure identity and access management.