More than 1.31 million users attempted to install malicious or unwanted web browser extensions at least once, new findings from cybersecurity firm Kaspersky show.

"From January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions, which is approximately 70% of all users affected by malicious and unwanted add-ons," the company said.

As many as 1,311,557 users fall under this category in the first half of 2022, per Kaspersky's telemetry data. In comparison, the number of such users peaked in 2020 at 3,660,236, followed by 1,823,263 unique users in 2021.

The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers and other utilities, and comes with capabilities to collect and analyze search queries and redirect users to affiliate links.


WebSearch is also notable for modifying the browser's start page, which contains a search engine and a number of links to third-party sources like AliExpress that, when clicked by the victim, help the extension developers earn money through affiliate links.

"Also, the extension modifies the browser's default search engine to search.myway[.]com, which can capture user queries, collect and analyze them," Kaspersky noted. "Depending on what the user searched for, most relevant partner sites will be actively promoted in the search results."

A second set of extensions involve a threat named AddScript that conceals its malicious functionality under the guise of video downloaders. While the add-ons do offer the advertised features, they are also designed to contact a remote server to retrieve and execute a piece of arbitrary JavaScript code.

Over one million users are said to have encountered adware in H1 2022 alone, with WebSearch and AddScript targeting 876,924 and 156,698 unique users.

Also found were instances of information-stealing malware like FB Stealer, which aim to steal Facebook login credentials and session cookies of logged-in users. FB Stealer has been responsible for 3,077 unique infection attempts in H1 2022.

The malware primarily singles out users on the lookout for cracked software on search engines, with FB Stealer delivered through a trojan called NullMixer, which propagates through unofficial cracked installers for software such as SolarWinds Broadband Engineers Edition.


"FB Stealer is installed by the malware rather than by the user," the researchers said. "Once added to the browser, it mimics the harmless and standard-looking Chrome extension Google Translate."

These attacks are also financially-motivated. The malware operators, after getting hold of the authentication cookies, log in to the target's Facebook account and hijack it by changing the password, effectively locking out the victim. The attackers can then abuse the access to ask the victim's friends for money.

The findings come a little over a month after Zimperiumm disclosed a malware family called ABCsoup that masquerades as a Google Translate extension as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

To keep the web browser free of infections, it's recommended that users stick to trusted sources for downloading software, review extension permissions, and periodically review and uninstall add-ons that "you no longer use or that you do not recognize."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.