Home / Companies / Socket / Blog / Post Details
Content Deep Dive

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

Blog post from Socket

Post Details
Company
Date Published
Author
Kirill Boychenko
Word Count
3,008
Company Posts That Month
27
Language
English
Hacker News Points
-
Summary

Malicious Chrome and Firefox extensions posing as free VPNs were found to be exfiltrating clipboard data to threat actors' infrastructure through staged updates, as analyzed by Socket's Threat Research Team. These extensions, branded as VPN Go: Free VPN, initially appeared as legitimate proxy tools but secretly introduced clipboard-stealing logic in later versions, targeting sensitive information like passwords and cryptocurrency addresses by exploiting users' normal copy-paste behavior. The malicious code split copied text into chunks and transmitted it to hardcoded IP addresses, with Chrome versions 1.1 and 1.2 using an earlier IP address and version 1.3 and Firefox versions 1.3.3 and 1.3.4 switching to a new IP. Although these extensions marketed themselves with privacy-focused claims, their actual behavior contradicted these promises, prompting reports to Google and Mozilla for review and removal. The extensions used shared infrastructure and code, highlighting the importance of scrutinizing browser extensions that request broad permissions, especially when their functionality does not justify such access.

Trends Found in this Post

No tracked trend matches for this post yet.