Cybersecurity researchers have recently found a malicious Google Chrome extension named Phantom Shuttle. Its latest activity included stealing user credentials from over 170 high-value target sites. This Adblocker Extension, distributed through the same developer under two separate IDs—fbfldogmkadejddihifklefknmikncaj and ocpcmfmiidofonkbodpdhgddhlcmcofd—allows the interceptor of web traffic. It does so by capturing sensitive information such as passwords, credit card numbers, and authentication cookies.
Phantom Shuttle operates by routing user web traffic through a proxy, which can be configured in various modes: close, always, or smarty mode. The latter is limited by design as it only targets a hard-coded list of domains. Our growing list now features developer platforms, cloud services, enterprise solutions, social media sites and adult content sites. This clever design made it possible for the extension to constantly exfiltrate user data while posing as a benign subscription service.
Mechanism of Operation
Phantom Shuttle uses a technical sleight-of-hand mechanism that enables it to hijack user credentials without their knowledge or consent. Authentication for the extension When a website prompts for HTTP authentication, the extension triggers a one-time listener that sends built-in proxy credentials. This step happens automatically, without any action from the user.
“When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt,” – Kush Pandya.
This tactic attempts to maintain the illusion that this is a normal, seamless browsing experience. As users navigate to targeted websites, Phantom Shuttle records that data in real-time.
“It immediately responds with the hard-coded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction,” – Kush Pandya.
The extension does exactly the opposite though, creating an effective man-in-the-middle (MitM) situation where user data is directly compromised. This breach of trust constitutes more than just username and password theft. It snatches your browsing history, form data, API keys and access tokens.
Targeted High-Value Domains
Phantom Shuttle aims for a massive list of domains. That being said, this list includes some of the most popular platforms used in multiple sectors. The lens takes in developer resources such as GitHub, Stack Overflow, Docker ☻. It continues to promote the use of commercial cloud services like Amazon Web Services, Digital Ocean, and Microsoft Azure.
Beyond these settings of professional transport, Phantom Shuttle seeks to operate inside of major social media outlets like Facebook, Instagram, and Twitter. The addition of all adult content sites raises the bar of victims who could potentially be affected.
“The combination of heartbeat exfiltration (credentials and metadata) plus proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active,” – Socket.
Phantom Shuttle is very deliberate about the users it targets, showcasing its malevolent purpose. Its goal is to target them in all facets of their online behavior.
Concealed Threat and User Deception
Even as it undertakes its nefarious activities, Phantom Shuttle has a pretty benign face. Users might think they’re buying a random VPN turnkey service and instead be opening the door to full traffic collection. The developers employ a subscription model that continues to trap victims. This harmful approach raises money and hides the actual purpose of the expensive extension.
“The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy,” – Socket.
As long as consumers keep using these deceptive services, they’ll be exposed to massive data breaches. The Phantom Shuttle helped prove that highly impactful online security can be fun and creative. It serves as an unfortunate reminder to be careful anytime you install a browser extension.
“Users believe they’re purchasing a VPN service while unknowingly enabling complete traffic compromise,” – Socket.