The most recent example of how browsers have evolved into a new endpoint for enterprise security teams to defend is a new malware-as-a-service toolkit that its creators are selling for between $2,000 and $6,000 on a Russian cybercrime forum. The toolkit, which Varonis researchers have named "Stanley," enables hackers to create malicious Chrome browser extensions that can overlay attacker-controlled phishing pages and intercept user visits to legitimate websites or software-as-a-service (SaaS) apps while maintaining the address bar's legitimate URL. ## Assurance of Malicious Extension Approval in the Chrome Web Store A command-and-control (C2) panel for managing victims, setting up spoof redirects, and sending fictitious browser notifications is provided to toolkit buyers.

Customers at higher tiers even receive a guarantee that any browser extension they develop with Stanley will be accepted by the Chrome Web Store. "In a recent blog post, Daniel Kelley, a researcher at Varonis, stated that [Stanley] is a turnkey credential theft solution that gets around Google's review process. "Many of the presumptions security teams still rely on are circumvented when an attack operates fully inside that [online] environment, using extensions that look authentic and function with user-approved permissions."

Related: To improve browser security, CrowdStrike will purchase Seraphic Security. Stanley is especially dangerous because it creates a defensive blind spot because the URL doesn't change while the user is interacting with phishing content.

According to Barney, "traditional endpoint and network controls are designed to detect malware execution or suspicious traffic patterns, not to question whether the browser itself is faithfully rendering what the user believes they are seeing." According to Lionel Litty, CISO at Menlo Security, it's critical that employees pay attention when Chrome requests permissions or provides details about an extension's capabilities. Ideally, enterprise security teams should be able to flag extensions that request excessive permissions and restrict access to a small list of trusted extensions, particularly those with powerful privileges.

If that isn't feasible, Litty suggests reviewing any extensions that staff members are using on a regular basis, giving priority to those that call for substantial privileges.