Google Chrome Attracting Hacker Attention

April 20, 2010

The good news: at a recent security conference, Google Chrome got kudos as the hardest to browser hack. The bad news: a new hack is targeting possibly overconfident Chrome users and tagging them with malware.The Pwn2own hacking competition at last month's CanSecWest named Google Chrome as the toughest to hack of four browsers -- the others were Microsoft Internet Explorer 7, Mozilla Firefox 3, Apple Safari 4 (Firefox and IE7 were tested on XP systems, Safari on OSX).

Toughest in the competition, but not invulnerable: a Chrome-targeting trojan is now making the rounds.

The Chrome attack poses as an e-mail invite to download a Chrome extension aimed at helping impose order on e-mail.

The link in the e-mail is a redirect, of course, one that lands the user on a fake Chrome extensions page, from which malware is downloaded that cuts the user off from Google (and Yahoo).

Instead of being able to reach Google or Yahoo proper, users are further redirected to phony, malware-laden sites.

Tipoff to the scam is the initial download's use of a .exe extension, whereas legit Chrome extensions are .crx

The fact that the crooks are making an effort to target Chrome indicates that they perceive critical -- and thus profitable -- mass building for the browser.

Which makes it critical that if any of your users are running Chrome, make sure they're aware of the attack and its characteristics.

Make sure as well that they know that Chrome, while plenty tough, isn't impervious to attacks.