Malicious Chrome and Firefox extensions that block their removal in order to hijack a user's browser to drive clicks up on YouTube videos and hijack searchers are automatically infecting user devices.
The extensions direct users away from pages that would allow the user to disable or delete them either by closing out pages with extensions/add-ons info, or sending users to a different page, such as an apps overview page, where extensions aren't listed, according to an 18 January Malwarebytes blog post.
Researchers noted it was much easier to circumvent the malicious extension in Firefox than in Chrome. In order to delete the Firefox version of the extension, a user only needs to run the browser in safe mode by holding down the Shift key while starting Firefox, confirm that they want to “Start in Safe Mode” in the prompt, and manually delete the malicious extension.
The Chrome version is more difficult to delete and researchers even suggested users report the issue to their respective security solution. The extension is called “Tiempo en colombia en vivo” and is pushed by forced chrome extension and is detected as Rogue.ForcedExtension.
This version keeps users out of Chrome's extensions list by redirecting users to a URL where the offending extension is not listed and only the installed apps will be shown.
“The clean method to disable extensions from redirecting your Chrome tabs is to start Chrome with disabled extensions,” researchers said in the report. “You can do this by adding the switch “–disable-extensions” to the command to run Chrome.”
Because many of the extensions are automatically uploaded to a user's browser, researchers say the best defence against these kind of attacks is to stay vigilant while surfing the web and use an adblocker. Researchers also recommend reading the fine print of any extensions intentionally downloaded to prevent accidental installation of the malicious extensions.