8 Google Chrome Extensions Hijacked targeting 4.8 Million Users
August 19, 2017
Shah Sheikh (1294 articles)

8 Google Chrome Extensions Hijacked targeting 4.8 Million Users

According to recent Proofpoint research, eight extensions for the Google Chrome web browser have been compromised by attackers, sending malicious ads to the affected users. In a report, Proofpoint explained that the authors of these extensions had their credentials stolen, allowing the attacker to take over.

The attacks occurred primarily in July and August 2017, with the attackers getting the credentials through a phishing scheme, the report said. This means that victims were exposed to malicious popups and potential schemes for stealing their credentials as well.

According to the report, these eight extensions were likely compromised:

– Web Developer 0.4.9
– Chrometana 1.1.3
– Infinity New Tab 3.12.3
– CopyFish 2.8.5
– Web Paint 1.2.1
– Social Fixer 20.1.1
– TouchVPN
– Betternet VPN

One of the first indications of this attack surfaced on August 2, when developer Chris Pederick reported his Web Developer for Chrome extension had been hijacked.

After checking to make sure that the extension has been installed, it will retrieve a ga.js file that allows it to steal the host’s credentials and swap out legitimate ads for malicious ones. While they did substitute ads for a range of websites, many of the malicious ads represented adult sites, the Proofpoint report said.

Additionally, fake JavaScript alerts and banner ads also attempted to convince users that their PC was infected with a virus or in need of some sort of repair, the report said. These types of ads are typically used to redirect users to another program that aims to profit off of users paying for these repair or antivirus services that they never receive.

In addition to hijacking traffic and driving users to questionable affiliate programs, it has also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.

Proofpoint did note that Cloudflare took immediate action to remove the malicious activity that was reported to them.

Source | TechRepublic