A new malware-as-a-service toolkit that its authors are hawking on a Russian cybercrime forum for between $2,000 and $6,000 is the latest example of how browsers have become a new endpoint for enterprise security teams to protect.
The toolkit, which researchers at Varonis have christened “Stanley,” lets cybercriminals generate malicious Chrome browser extensions that can intercept user visits to real websites or software-as-a-service (SaaS) apps, and overlay attacker‑controlled phishing pages, all while still showing the legitimate URL in the address bar.
Guaranteed Chrome Web Store Approval for Malicious Extensions
Purchasers of the toolkit get a command‑and‑control (C2) panel for managing victims, configuring spoofed redirects, and sending fake browser notifications. At higher tiers, buyers even get a guarantee that any browser extension they create with Stanley will pass Chrome Web Store approval.
“[Stanley] is a turnkey credential theft solution that bypasses Google’s review process,” Varonis researcher Daniel Kelley wrote in a recent blog post. The toolkit’s price tag makes it accessible to solo scammers just as easily as organized crime groups, and highlights how “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint,” he said.
The toolkit comes packaged as a seemingly innocent note-taking and bookmarking Chrome browser extension called Notely. Victims who install it get some legitimate note-taking and bookmarking functionality, and are therefore more susceptible to granting the extension permissions that essentially allow it to insert itself into any website interaction the user might have.
Subsequently, if the user navigates to a website of interest to the attacker — like a bank or cryptocurrency site — the extension quickly highjacks that navigation and overlays a full-screen iframe spoofed to look exactly like the page the user expects. The browser’s address bar itself meanwhile continues to show the URL of the legitimate domain lulling even suspicious users into entering their credentials, which the attacker quickly captures and sends to a remote server.
“Looking at the code, the implementation is functional rather than sophisticated,” Kelly wrote. “The techniques (iframe overlay, header stripping, C2 polling) are well-documented, and the code has some rough edges,” he said.
What makes Stanley an even more potent threat is the guarantee that comes with it, he added, noting that the typical advice to “only install from official stores, check reviews, look for verified badges doesn’t help when malicious extensions pass Google’s review process and sit in the Chrome Web Store alongside legitimate tools.”
Google did not respond immediately to a Dark Reading request for comment.
The Growing Browser-Extension Cyber Threat
Browsers and browser extensions have become an increasingly attractive attack vector for threat actors in today’s software-as-a-service (SaaS) and cloud-based business environments. The browser has become the primary workspace for most users, handling authentication, transactions, and privileged actions across SaaS platforms; and extensions provide direct access to users’ online activity and sensitive data. It’s no wonder then that threat actors are increasingly taking advantage of the often extensive permissions that users grant to create malicious extensions, using them to intercept Web traffic, steal credentials, inject phishing content, and carry out other malicious activities. The recent emergence of AI-powered browser extensions has only heightened the risk.
“Stanley is a useful example of how browser-based attacks are maturing, not because the techniques are novel, but because of where the attacker chooses to operate,” says Shane Barney, chief information security officer (CISO) at Keeper Security. “When an attack runs entirely inside that [online] environment, using extensions that appear legitimate and operate with user-approved permissions, it bypasses many of the assumptions security teams still rely on.”
What makes Stanley particularly pernicious is that the URL remains unchanged even when the user is interacting with phishing content, thus creating a defensive blind spot. “Traditional endpoint and network controls are designed to detect malware execution or suspicious traffic patterns, not to question whether the browser itself is faithfully rendering what the user believes they are seeing,” Barney says.
Lionel Litty, CISO at Menlo Security, says it’s important for workers to pay attention when Chrome offers information about an extension’s capabilities and/or asks to grant certain permissions. Enterprise security teams should ideally be allow-listing extensions to a small set of trusted ones, especially for extensions with powerful privileges; and should have capabilities in place to flag extensions that ask for excessive permissions. If that’s unpractical, it’s a good idea to review any extensions in use by employees on a regular basis, prioritizing those that require significant privileges, Litty advises.
“Verifying the URL in the address bar as a defense mechanism no longer works in the presence of a malicious extension,” he says. “For that matter, neither does a phishing resistant factor, as the attacker is in your browser. They no longer need to steal your credentials; they can read and modify the content in your browser.”
