Imagine unseen eyes tracking your every click, subtly siphoning off your data. For thousands, this isn't hypothetical; it's a stark reality. A new wave of sophisticated, malicious browser extensions has been identified across Chrome, Firefox, and Edge, some active for five years. If you've installed any of these digital intruders, remove them immediately to protect your privacy and security.
Koi Security first uncovered the "GhostPoster" campaign, identifying 17 malicious Firefox add-ons monitoring user activity. Malicious JavaScript was hidden in PNG logos, acting as a loader (Koi Security, 2023). LayerX then found another 17 extensions across browsers, with over 840,000 installs. This widespread compromise demands vigilance, especially if you've installed any new add-ons recently.
The GhostPoster Threat and Its Reach
The GhostPoster campaign began on Microsoft Edge, then spread to Chrome and Firefox, potentially active since 2020. Its creators employed stealth tactics, including a 48-hour activation delay and conditional communication with attack servers, making detection challenging (LayerX, 2024).
The list of identified malicious extensions is extensive. If you've installed any of the following, action is required:
- Translate Selected Text with Google
- Ads Block Ultimate
- Floating Player - PiP Mode
- Convert Everything
- Youtube Download
- One Key Translate
- AdBlocker
- Save Image to Pinterest on Right Click
- Instagram Downloader
- RSS Feed
- Cool Cursor
- Full Page Screenshot
- Amazon Price History
- Color Enhancer
- Translate Selected Text with Right Click
- Page Screenshot Clipper
- Google Translate in Right Click
- Productivity Tracker Pro
- Web Enhancer Suite
- Smart Search Assistant
"Google Translate in Right Click" had over 522,000 installs, and "Translate Selected Text with Google" garnered nearly 160,000. Even "Instagram Downloader," with 3,822 installs, harbored a more sophisticated malware variant, showcasing an evolving threat landscape.
Once installed, GhostPoster extensions hijack affiliate traffic, redirecting commissions. They can also strip/inject HTTP headers, bypass CAPTCHA, and inject iframes/scripts for click fraud and user tracking. While they don't harvest credentials or phish, the privacy and financial fraud implications are severe.
Though these malicious extensions are no longer available for new downloads, their danger persists for existing users. If you've installed any of them previously, they remain active until explicitly deleted. Review your browser extensions and remove any suspicious or listed items immediately to protect your digital footprint.
