Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Axes 500 Chrome Extensions Exfiltrating User Data

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. 

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. 

Independent security researcher Jamila Kaya and Cisco’s Duo Labs originally identified a network of 70 copycat plugins with 1.7 million users that were infecting users’ browsers and exfiltrating data. Further investigation led to the identification of more than 500 such extensions.

The applications were marketed as offering advertising as a service, but the developers obfuscated the functionality from users to connect the infected browsers to a command and control (C&C), exfiltrate users’ private browsing data, and evade the Chrome Web Store’s fraud detection. 

The threat actor behind these extensions has been using the same infrastructure for at least one or two years, Cisco’s Duo Labs security researchers say. The plugins had nearly identical source code (only names of the functions differ), had no ratings, and each referenced to a “.com.” website that was the exact name of the plugin.

Each of these extensions requires a high, nearly identical level of permissions, which allows them to access a large amount of data in the browser. The plugins also contacted identical external sites (except for the “front” sites) and employed sandbox evasion. 

Once installed, the plugins attempt to contact the site referenced by their names on regular intervals, to receive instruction as to whether to uninstall or not. Next, they contact a C&C server to check regularly for instructions, information on where to upload data, and new domain and feed lists for advertisements and future redirects.

After receiving the new instructions, the plugins upload requested data, update their configuration, and get sent through a redirection stream.

Data is uploaded to data<.>multitext<.>com, a data exchange domain. Sent information includes usage, time, idle activity, tracking, and browser activity and statistics, without consent.

Advertisement. Scroll to continue reading.

Redirection streams are employed for performing the malicious activity and ad fraud. While many of the ad streams are benign, over two thirds of redirects lead to malicious sites that serve either malware or phishing. 

Kaya also identified direct malware tied to these plugin sites, likely operating for the same user. The security researchers also identified malware tied to the Arcadeyum site and redirector domains.

“This tie-in, as well as the plugin proliferation, suggests that potentially this actor has been operating for a while and has continued to grow while avoiding detection,” Duo Labs notes. 

The investigation suggests that the actor had been active for at least eight months, since January 2019, with a peak in activity between March and June 2019, when dozens of new variant plugins were released and new domains registered monthly. 

However, some malware and domains associated with the traffic were registered in 2018 and 2017. The instruction domains were registered in June 2017, and Duo Labs believes the activity might have originated there. 

“Multiple portions of the architecture to support this plugin network were created on the same day or month, with new components, such as redirector domains, released in chunks,” the researchers say. 

Related: New Service From Cisco’s Duo Labs Analyzes Chrome Extensions

Related: New API Changes How Ad Blockers Work in Chrome

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.