Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Browser Add-ons Add Fraudulent Data

Created: 29 Nov 2012 06:53:37 GMT • Updated: 23 Jan 2014 18:11:19 GMT • Translations available: 日本語
Mathew Maniyara's picture
+3 3 Votes
Login to vote

Contributor: Wahengbam RobinSingh

Phishers continue to devise diverse strategies to improve their chances of harvesting users’ confidential information. Symantec constantly monitors and keeps track of these phishing trends. In November 2012, Symantec observed a phishing site that loaded a malicious browser add-on. The malicious add-on, if installed, would lead users to phishing sites even when a legitimate website is entered in the address bar. Phishers utilized a typosquatting domain to host the phishing site and their primary motive in this strategy was financial gain. The phishing site spoofed a popular e-commerce website.

Figure 1. Browser prevents automatic installation of the malicious add-on

 

The phishing site detects the specific browser application used by the user and prompts for installation of the respective browser application add-on. A dialog box is displayed that states that the browser prevented installation but it asks for user permission to proceed. If Allow is clicked, the user is prompted to install the software.

Figure 2. Browser asks user permission to install the add-on

 

A similar add-on is loaded in Internet Explorer while navigating to the phishing site.

Figure 3: Installation of the malicious add-on in Internet Explorer

 

How does this malicious add-on work?

The malicious add-on modifies the hosts file located in the Windows System32 directory. This file is typically used to assign hostnames or domain names to IP addresses. When a user enters a website URL in the browser address bar, it checks the local DNS information, such as the hosts file, before sending a DNS query to the Internet. This particular add-on assigns the domain names of well-known brands to IP addresses of phishing sites in the hosts file. Therefore, the browser would load a phishing site even if the URL entered in the address bar is a legitimate website.

 

What precautions should Internet users take?

The phishing site in question has been removed and is currently inactive. Nevertheless, users should be aware that other phishing sites similar to this could be encountered in the future. One has to bear in mind that such fake add-ons get installed in the browser only after a user grants permission. Internet users are advised to always be vigilant and be aware of the software they install on their computer.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.