A chrome extension that still available on Chrome Web Store steals the payment card information from website forms visited by the users.
The extension found to be active form February 2018, and the extenstion hidden from regular searches and will be available only through the link that attackers use to spread.
According to Elevenpaths analysis, the extension embeds simple function to all the websites visited by the user and exploits API functionality webRequest.onBeforeRequest and intercept the user’s form submission.
The injected scripts regularly monitor credit card numbers by having regular expressions in the code for Visa (vvregex), MasterCard (mcregex), etc.”In case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request.”
Reader Flash extension found installed more than 400 times and the extension will be available only through the link and not through commom search.”The infrastructure has not been massively spread so far.”
The extension has been reported by Elevenpaths to Google to remove the extension from the Chrome store.