You have surely already used browser extensions to enhance your browsing experience or to facilitate the organization of your online meetings. But have you ever thought about the information you inadvertently share by using these seemingly innocent tools? In this article, we unveil a sophisticated espionage campaign hiding behind these popular extensions, turning your virtual meetings into a goldmine of information for malicious actors.
The 3 must-know facts
- An espionage campaign called Zoom Stealer has targeted millions of virtual meetings through popular browser extensions.
- These well-rated and functional extensions have been installed on approximately 2.2 million browsers to capture sensitive data.
- The DarkSpectre group is suspected of being behind this operation, using advanced techniques to collect information on meetings.
Zoom Stealer: an elaborate espionage campaign
Researchers at Koi Security recently discovered a vast digital espionage operation exploiting well-rated browser extensions to infiltrate online meetings. This campaign, known as Zoom Stealer, uses about twenty modules for Chrome, Edge, and Firefox browsers. Far from being fraudulent tools, these extensions are designed to perform legitimate tasks such as audio capture, video downloading, and meeting management.
Despite their harmless appearance, these modules require extensive permissions, allowing them to access 28 video conferencing services, including Zoom, Microsoft Teams, and Google Meet. By injecting scripts into the interfaces of these services, the extensions can extract sensitive information such as meeting links, IDs and passwords, topics, and session schedules.
The risks posed by seemingly innocuous data
At first glance, the information collected by Zoom Stealer may seem inconsequential. However, on a large scale, these data fragments form a base that allows mapping the meeting habits of many organizations. The consequences can be severe: discreet eavesdropping on meetings, targeted phishing campaigns, identity theft, and commercial targeting. The collection of this data is carried out discreetly, thanks to persistent connections established by the extensions.
DarkSpectre: the actor behind the threat
According to Koi Security, the Zoom Stealer campaign is orchestrated by a malicious actor named DarkSpectre. This group is already known for previous attacks, such as ShadyPanda and GhostPoster. In these operations, DarkSpectre used seemingly legitimate productivity extensions, to which surveillance functions were added over time. These attacks demonstrate DarkSpectre’s ability to deploy advanced techniques to collect sensitive information on a large scale.
Tips to protect your meetings
To guard against this type of threat, it is advisable to limit the number of extensions installed on workstations, uninstalling those of uncertain origin or that require extensive access to video conferencing tools. Regularly check the list of authorized modules in your company, just as you would for passwords and access rights.
The DarkSpectre group: a worrying history
DarkSpectre is a well-known cybercriminal group in the field of computer security for its digital surveillance operations. Using sophisticated techniques, DarkSpectre has conducted several espionage campaigns, targeting millions of users worldwide. Their ability to conceal malicious functions in popular extensions shows a constant evolution of their methods, making the detection and prevention of attacks all the more difficult for cybersecurity professionals.
