The extension, available since February 2018, exploits the API (Application Programming Interface) functionality on websites by interrupting the digital handshake exchanged between user and website when a HTTP request is made, like clicking a link or submitting a form. It cannot be found through a regular search and instead is only proliferated through the sharing of a link.
The extension, created by fbsgang.info, proclaims itself to be a ‘Flash Reader’ and embeds a function in each and every website visited by the targeted user.
Whenever it detects credit number patterns specific to Visa, Mastercard, American Express, and Discovery card formats being inputted into a web form, it automatically relays them to the attacker via an AJAX request (essentially, a message that communicates directly with the server without interrupting the display or normal behavior of the active webpage).
Stolen information includes card issuer names, expiration dates, and CVV/CVC codes.
The good news is that the infection is not widespread, as only 400 installations have been detected, meaning its reach is limited.
Google was alerted by Cybersecurity firm ElevenPaths early last year, but the offending extension still existed in the Web Store in some form until recently. The server used by whoever is behind the malicious extension is currently down, but this may be a temporary measure while the group is under scrutiny or while they prepare another server to which they can redirect unsuspecting users.
It may also be a precursor for a much larger operation.
RT.com has contacted Google for comment.