Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Hijacked Extensions Put 4.7 Million Chrome Users at Risk

More than 4.7 million users were apparently exposed to potentially malicious ads and credential theft after cybercriminals managed to hijack the developer accounts of several popular Chrome extensions.

More than 4.7 million users were apparently exposed to potentially malicious ads and credential theft after cybercriminals managed to hijack the developer accounts of several popular Chrome extensions.

The actors used phishing emails to gain access to the developers’ Google accounts and submit to the Chrome Web Store malicious versions of legitimate extensions. The malicious code injected in these tools was meant to modify the advertisements displayed to users and to grab specific credentials from the victims’ machines.

After taking a closer look at the incidents, Proofpoint concluded that 8 Chrome extensions have been compromised by the actor using the same modus operandi: Web Developer, Chrometana, Infinity New Tab, CopyFish, Web Paint, Social Fixer, TouchVPN, and Betternet VPN. At the moment, these extensions have a combined user base of more than 4.77 million users.

As previously reported, the phishing attack to compromise the developer accounts was pretty straightforward: an email purporting to come from Google Support prompted the targeted developers to log into their accounts to update some information. The login link in the email, however, would take developers to the attacker’s site instead, resulting in their credentials being stolen.

Next, the attackers would take over the compromised developer account and/or hijack their Chrome extension to replace it with a malicious variant. According to Proofpoint, the actor included in the code a check to ensure the extension has been installed for at least 10 minutes before starting the malicious behavior, most probably in an attempt to bypass detection.

The malicious code was also observed attempting to retrieve a remote file called ga.js over HTTPS, from a domain generated via a domain generation algorithm (DGA). Analysis of the malicious components in Web Developer revealed that the code from this step was meant to conditionally call additional scripts, including some that would harvest Cloudflare credentials after the victim’s login.

Next, “the compromised version of the extension attempts to substitute ads on the victim’s browser, hijacking traffic from legitimate advertising networks,” Proofpoint says, adding that the attackers focused mainly on carefully crafted substitution ads on adult websites, although they targeted a variety of other websites as well.

The ad substitutions work for 33 popular banner sizes including 468×60, 728×90, and many more spanning numerous aspect ratios, the researchers say. In many instances, the victims were presented with fake JavaScript alerts claiming that the computer required repairing. Clicking on these ads would redirect users to affiliate programs from which the threat actors could profit.

Proofpoint observed the compromised Web Developer extension directing victims to two such affiliates, but says that others may also have been used. The popup alerts were also associated with the compromise of the Infinity New Tab extension in May 2017, as well as with fake EU cookie-consent alerts last year.

“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks,” Proofpoint concludes.              

Related: One Million Exposed to Adware via Hijacked Chrome Extension

Related: Chrome Users Targeted in Malware Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...