Security researchers from the Socket supply-chain platform recently identified two versions of the Phantom Shuttle extension still operating within the official Chrome marketplace. These tools have managed to remain active for several years while masquerading as legitimate proxy services. The extensions are published under a single developer name and are marketed to users who require network testing or traffic proxying, primarily targeting individuals and trade workers in China. To access the service, users are prompted to pay for subscriptions ranging from roughly one to fourteen dollars.
The malicious functionality is cleverly hidden within a legitimate jQuery library used by the extensions. By using a custom encoding scheme to mask hardcoded credentials, the software connects to a proxy network controlled by the threat actors. The extensions use an automated configuration script to silently rebind the browser's proxy settings, allowing the attackers to sit in the middle of the user’s internet connection. This setup enables the software to monitor and intercept data from almost any website the victim visits.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
To maximize the value of the stolen data, the extensions employ a smart routing mode that targets over 170 high-value domains. These include major social media platforms, cloud service management consoles, developer tools, and various adult content portals. By focusing on these specific sites, the attackers can effectively harvest login credentials, API tokens, and session cookies from HTTP headers. Meanwhile, the code is programmed to ignore local networks and its own command servers to avoid disrupting the connection or alerting the user to the intrusion.
The scope of the data theft is comprehensive, as the extensions can capture any information entered into web forms, including credit card numbers and personal identification. Because the tools act as a man-in-the-middle, they can extract sensitive information directly from web requests before it is encrypted or sent to the intended destination. While Google has been notified of the presence of these malicious tools in the Web Store, the extensions were still available for download at the time the security report was published.
This incident serves as a reminder of the persistent risks associated with browser add-ons, even those found on official platforms. Users are encouraged to scrutinize the reputation of extension developers and carefully review the permissions requested during the installation process. Relying on well-known publishers and checking for suspicious patterns in user reviews can help mitigate the risk of installing malicious software that could compromise personal and professional accounts.
Source: Socket.dev