The people behind browsers such as Chrome and Firefox implement several tools to prevent users from being tracked or having their information seen. The most prominent tools are encryption tools, such as TLS and HTTPS. Unfortunately, black hat hackers (the bad kind) see these tools as something to overcome. A notorious hacking group from Russia is proving this point precisely as they have turned these encryption tools against users. They are using the tools that are supposed to make Chrome and Firefox more secure browsers to spy on its users.
There’s something of an irony to the latest report from Kaspersky Labs. The hackers behind the attack have found a way to modify web browsers so the TLS traffic that is designed to be private and secure has a unique “fingerprint” attached to it. This fingerprint will identify users and their computers. Basically, the fingerprints are attached to the very technology that is used to prevent eavesdropping and spying.
The only thing scarier than what the hackers did is how they did it. It patches the installer programs for Firefox and Chrome to modify the browsers so that they have this fingerprint function built-in. Kaspersky has so far been unable to pinpoint just how and when the hackers make these modifications, but considering that the installers are provided by legitimate sources, they could possibly be patching the installers as they are being downloaded.
This would be quite the tricky feat for hackers. It implies that they have compromised the internet service provider and a big network. As near-impossible as that sounds, there are some hackers – including the Russian hacking group Tulsa – that could do it. Tulsa is a cyber-espionage group that has been found to have ties to the Russian government. They have been part of several incidents of hacking ISPs.
What’s strange about all of this is that the malware – called Reductor – isn’t being used to decrypt the encrypted traffic. This is something that would be trivial given what the malware can do and that it’s already installed on the computer. Rather, it is being used just to track online web activity in the event that the virus is removed from the web browser.