The malicious Ldi extension has now been removed from the Chrome Web Store.
As the Chrome browser grows in popularity, the number of malicious extensions for it is also growing. Attackers use “clones” of popular plugins to deliver ads, malicious extensions to spoof search queries, or embed a Coinhive cryptocurrency miner in the browser.
IS expert Lawrence Abrams discovered the Ldi plugin, which takes malicious extension activity to the next level. Ldi not only installs the Coinhive miner in the browser, but also uses the victim’s Gmail account to register free domains using the Freenom service.
The extension was distributed via sites with JavaScript notifications urging the user to install the plugin. When the user tried to close the notification, the Ldi page in the Chrome Web Store was automatically opened. The product description was uninformative. “Don’t know if your homepage is compatible with your Mac? Find out with Ldi,” the description of the plugin read. The malicious extension has now been removed from the Chrome Web Store.
The Pirate Bay and Showtime websites were among the first to be caught using Coinhive. A total of 220 sites are secretly mining cryptocurrencies.