Security researchers have identified two malicious Google Chrome extensions operating under the name Phantom Shuttle that intercept web traffic and steal user credentials. While these extensions are marketed as network speed test tools and VPN services for developers, they actually function as sophisticated man in the middle proxies.
Deceptive Business Model
The extensions, published by the same developer, have been active for years; one version was released in 2017 and another in 2023. They utilize a subscription model with prices ranging
from approximately $1.40 to $13.50 USD. By integrating legitimate payment methods like Alipay and WeChat Pay and providing functional speed tests, the developer creates a convincing facade of a professional service.
Technical Exploitation
Once a user pays for a subscription and gains VIP status, the extension activates a "smarty" proxy mode. This setting automatically routes traffic from over 170 high value domains through servers controlled by the attacker. Targeted platforms include:
- Developer Tools: GitHub, Stack Overflow, and Docker.
- Cloud Infrastructure: AWS, Microsoft Azure, and DigitalOcean.
- Social Media: Facebook, Instagram, and X (formerly Twitter).
- Enterprise Solutions: Cisco, IBM, and VMware.
The malware utilizes a listener on the browser's web request system to inject hard coded credentials into authentication challenges. This process is entirely transparent to the user, allowing the extension to bypass standard credential prompts and gain control over the connection.
Data Theft and Monitoring
While active, the extensions maintain a constant connection to a command and control server. Every five minutes, the software transmits the user's email and plaintext password to the attacker. Because the attacker sits between the user and the internet, they can capture a wide array of sensitive data, including:
- Credit card numbers and financial information.
- Authentication cookies and session tokens.
- API keys and private developer secrets.
- Browsing history and form data.
Researchers believe the inclusion of adult websites in the proxy list may also be an attempt to collect information for potential blackmail.
Recommendations for Protection
The infrastructure and language used in the extensions suggest a China based operation. Security experts emphasize that browser extensions are a growing, often unmanaged risk for both individuals and corporations.
Users who have installed any version of Phantom Shuttle should remove the extension immediately and change their passwords. Organizations are encouraged to implement extension allowlists and monitor network traffic for unauthorized proxy authentication attempts to prevent similar supply chain risks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
