Hackers using fake ‘Flash Player’ Google Chrome extension to steal credit card data

18 Jan, 2019 12:52 / Updated 6 years ago

Cybersecurity researchers are warning unsuspecting internet users about a year-old Chrome extension which steals credit card data from infected users via web forms on visited websites.

The surreptitious extension is spread by means of JavaScript injection attacks i.e. “You don’t have Flash installed, use this Chrome extension instead,” or something to that effect. When unsuspecting or careless users click on these links, it triggers an automated redirect to the malicious extension.

The extension, available since February 2018, exploits the API (Application Programming Interface) functionality on websites by interrupting the digital handshake exchanged between user and website when a HTTP request is made, like clicking a link or submitting a form. It cannot be found through a regular search and instead is only proliferated through the sharing of a link.

Also on rt.com Oklahoma data leak: 7 years of FBI data, corporate info, SSNs & names of AIDS patients exposed

The extension, created by fbsgang.info, proclaims itself to be a ‘Flash Reader’ and embeds a function in each and every website visited by the targeted user.

Whenever it detects credit number patterns specific to Visa, Mastercard, American Express, and Discovery card formats being inputted into a web form, it automatically relays them to the attacker via an AJAX request (essentially, a message that communicates directly with the server without interrupting the display or normal behavior of the active webpage).

Stolen information includes card issuer names, expiration dates, and CVV/CVC codes.

Also on rt.com Over 770 million email addresses shared online in largest data breach in history

The good news is that the infection is not widespread, as only 400 installations have been detected, meaning its reach is limited.

Google was alerted by Cybersecurity firm ElevenPaths early last year, but the offending extension still existed in the Web Store in some form until recently. The server used by whoever is behind the malicious extension is currently down, but this may be a temporary measure while the group is under scrutiny or while they prepare another server to which they can redirect unsuspecting users.

It may also be a precursor for a much larger operation.

RT.com has contacted Google for comment.

Think your friends would be interested? Share this story!