Yet another day of Chrome removing malicious extensions from its webstore, but this time there is more to what meets the eye. As reported by Awake, the security firm behind the exposure, all these extensions link to an Israel based domain registrar – GalComm. It uncovered 100+ malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions.
GalComm has also been connected to three other web hosting and mobile app solutions companies, two of which are infamous for mass typo-squat attacks on a large number of Google-specific domains.
Awake found almost 60% of the domains registered at GalComm to be malicious and believes it to be complicit in the transgression. “By exploiting the trust placed in it as a domain registrar, GalComm has enabled malicious activity that has been found across more than a hundred networks we’ve examined.”
It also alleged that the domain registrar allowed criminals to bypass “multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity.” Awake believes that such registrars can function like cyber-arms dealers, providing a platform where criminals and nation-states can release malicious sites, extensions and other tools without any consequences or oversight.
Moshe Fogel, founder and CEO at GalComm says that his company was unaware of any suspicious activity and denies involvement.