The extensions are marketed as a "multi-location network speed test plug-in" for foreign trade staff and developers. Believing they are buying a genuine VPN service, users pay subscriptions between ¥9.9 and ¥95.9 CNY ($1.40 and $13.50 USD). When unsuspecting users pay, the extensions automatically activate "smarty" proxy mode and grant them VIP status.
Developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), and social media (Facebook, Instagram, Twitter) are among the domains listed. According to security researcher Kush Pandya, the inclusion of pornographic websites is probably an attempt to blackmail victims. The code is intended to automatically insert hard-coded proxy credentials (topfany / 963852wei) into each HTTP authentication challenge on all websites.
As of right now, Who is in charge of the eight-year-old operation is unknown. A China-based business is indicated by the extension description's use of Chinese, the integration of Alipay and WeChat Pay for payment processing, and the C2 domain's hosting on Alibaba Cloud. It is recommended that users who have installed the extensions remove them right away.
Deploying extension allowlisting, keeping an eye out for extensions that have proxy permissions and subscription payment systems, and setting up network monitoring for questionable proxy authentication attempts are all crucial tasks for security teams. The results demonstrate how browser-based extensions are turning into an unmanaged risk layer for businesses. "Users believe they're purchasing a VPN service while unknowingly enabling complete traffic compromise," Chris Boulden of socket.com wrote in a blog post regarding the results.
"The According to him, the subscription model generates income while retaining victims.