Urgent warning about new fake website scams on Chrome and Edge – here’s how to find out if you’ve been affected
Cybersecurity experts have discovered a large-scale hacking campaign targeting Google Chrome and Microsoft Edge.
Criminals place malicious websites on popular search engines, posing as legitimate software for sites like YouTube and Roblox.
When victims download the fake software, they give attackers access to sensitive login credentials and other personal information, which may include banking details.
According to experts, this malware is particularly dangerous because it cannot be removed by simply deleting the file. The file is reinstalled every time the PC is restarted. However, specific extensions have been identified that are used in the attacks.
Since 2021, at least 300,000 people have fallen victim to the nationwide malware attack, which can steal users’ browser search histories to obtain login credentials for sensitive data such as banking information.
At least 300,000 people have fallen victim to the nationwide malware attack since 2021, according to ReasonLabs, which discovered the attack.
Kobi Kalif, CEO and co-founder of ReasonLabs, said: “This recently discovered malware campaign is just the latest example of how cybercriminals are targeting consumers in the digital world.
‘Our research team remains committed to tracking these threats and providing our users with the tools, knowledge, and information to stay safe online.
“We immediately alerted Google and Microsoft when we became aware of the problem. They are now taking appropriate measures.”
People unknowingly downloaded the software thinking they were installing a Chrome extension, but in reality they were uploading a PowerShell script to the computer.
PowerShell is Microsoft’s version of a command line tool for Windows, which programs designed for more experienced programmers to directly program the core code of their own computer.
The hackers’ fake error messages encourage unwitting users to copy and paste raw code and then install it as a “fix” by executing or “running” that code in PowerShell.
This downloads a so-called “next-stage payload,” which connects the hacker’s remote server to the victim’s computer to modify the Windows registry and force Chrome and Edge to fully install the malicious software.
Once the extension is added to the PC device, it cannot be disabled by the user, even if Developer Mode is enabled, ReasonLabs said.
Developer mode is used to prevent people from installing malicious software on their computers, thereby reducing the chance of becoming a target of a cyber attack.
The hackers can then steal user search queries from sites like Ask.com, Bing, and Google, thereby gaining access to the user’s data.
DailyMail.com has reached out to Google and Microsoft for comment.
Microsoft Edge users have been compromised by installing malicious software extensions on their computers that are becoming increasingly difficult to remove
How to identify the malware
While the name of the malware varies, users can recognize it by its pathname: ‘c:/windows/system32’ and the PowerShell script ending with ‘.ps1.’
To access this, users need to open the ‘Task Scheduler’ from the start menu and open the Library option to see all the downloaded ‘tasks’ installed on the PC.
To find the file details and pathname, the user needs to click on ‘Actions’ and then click on ‘File Details’ option.
How do you remove the malware?
ReasonLabs said that “newer versions of the script remove browser updates.”
If you don’t want to update to a newer version of Chrome or Edge, you can fortunately remove the malware from your device manually. This will ensure that the malware is completely removed from your PC. However, this is a lengthy process.
Once it has been determined which tasks constitute malware, users should delete the registry keys that will force the computer to reinstall the software and keep it running in the background.
Select the Registry Editor option from the start menu and click on the Chrome extension ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeExtensionInstallForcelist on the right panel and select remove.
Users should also remove the extension ComputerHKEY_LOCAL_MACHINESOFTWAREWOW6432NodePoliciesGoogleChromeExtensionInstallForcelist from the registry key.
These steps should also be repeated for the Edge extension by deleting the registry key: ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist.