In November last year, researchers revealed how analytic firms were invasively tracking website visitors using scripts that record pages you visit and the searches you make. The research had focused on exfiltration of personal data by the so-called session replay scripts. “More and more sites use “session replay” scripts,” Princeton researchers warned.

"These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers."

It appears developers of malicious extensions are now incorporating this mechanism into their latest offerings. “Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder,” researchers had said. Who wouldn’t want to watch over your shoulder while you browse – criminals, hackers, advertisers – basically, everyone is out for more data.

Malicious Chrome extensions deliver cryptocurrency mining code, inject ads, and violate user privacy through session replay scripts

Over the last few weeks, a number of malicious Chrome extensions (dubbed as Droidclub botnet by researchers) have started to embed a legitimate JavaScript library provided by web analytics provider Yandex Metrica, which records user actions on all the sites they visit. “These scripts are injected into every website the user visits,” Trend Micro’s latest research reveals.

These extensions hijacked browsers to mine for Monero, displayed unwanted ads and also included these session replay scripts that are usually used by analytics firms. While in the cases of Princeton research, the data was observed by analytics firms, in this case it’s the criminals who get to record and replay your “keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit.”

“These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things,” Trend Micro researchers wrote. “Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild.”

This library enables attackers to steal data entered into forms, including usernames, credit card numbers, CVV numbers, email addresses, and phone numbers. Researchers noted that the legitimate library doesn’t steal passwords, which means attackers don’t have that ability too. “Droidclub can also modify the contents of viewed websites,” they added.

"The extension is currently injecting various pieces of Javascript code, one of which modifies these pages by adding external links to certain keywords. These links go to ads as well. Ads within the original site are also replaced with ads chosen by the attacker; the code does it by searching for IFRAME sizes that match those used in advertisements."

As for installation, the attacker behind this campaign uses malvertising and social engineering techniques to get the user to install these malicious Chrome extensions.

Google has removed 89 such extensions from the Chrome Web Store that were installed by over 423,992 users. Along with removal of these extensions from the Store, Google said it has also disabled them on all the devices where they were installed.