Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Google Axes 500 Chrome Extensions Exfiltrating User Data

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. 

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. 

Independent security researcher Jamila Kaya and Cisco’s Duo Labs originally identified a network of 70 copycat plugins with 1.7 million users that were infecting users’ browsers and exfiltrating data. Further investigation led to the identification of more than 500 such extensions.

The applications were marketed as offering advertising as a service, but the developers obfuscated the functionality from users to connect the infected browsers to a command and control (C&C), exfiltrate users’ private browsing data, and evade the Chrome Web Store’s fraud detection. 

The threat actor behind these extensions has been using the same infrastructure for at least one or two years, Cisco’s Duo Labs security researchers say. The plugins had nearly identical source code (only names of the functions differ), had no ratings, and each referenced to a “.com.” website that was the exact name of the plugin.

Each of these extensions requires a high, nearly identical level of permissions, which allows them to access a large amount of data in the browser. The plugins also contacted identical external sites (except for the “front” sites) and employed sandbox evasion. 

Once installed, the plugins attempt to contact the site referenced by their names on regular intervals, to receive instruction as to whether to uninstall or not. Next, they contact a C&C server to check regularly for instructions, information on where to upload data, and new domain and feed lists for advertisements and future redirects.

After receiving the new instructions, the plugins upload requested data, update their configuration, and get sent through a redirection stream.

Data is uploaded to data<.>multitext<.>com, a data exchange domain. Sent information includes usage, time, idle activity, tracking, and browser activity and statistics, without consent.

Redirection streams are employed for performing the malicious activity and ad fraud. While many of the ad streams are benign, over two thirds of redirects lead to malicious sites that serve either malware or phishing. 

Kaya also identified direct malware tied to these plugin sites, likely operating for the same user. The security researchers also identified malware tied to the Arcadeyum site and redirector domains.

“This tie-in, as well as the plugin proliferation, suggests that potentially this actor has been operating for a while and has continued to grow while avoiding detection,” Duo Labs notes. 

The investigation suggests that the actor had been active for at least eight months, since January 2019, with a peak in activity between March and June 2019, when dozens of new variant plugins were released and new domains registered monthly. 

However, some malware and domains associated with the traffic were registered in 2018 and 2017. The instruction domains were registered in June 2017, and Duo Labs believes the activity might have originated there. 

“Multiple portions of the architecture to support this plugin network were created on the same day or month, with new components, such as redirector domains, released in chunks,” the researchers say. 

Related: New Service From Cisco’s Duo Labs Analyzes Chrome Extensions

Related: New API Changes How Ad Blockers Work in Chrome

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...