8 Google Chrome Extensions Hijacked targeting 4.8 Million Users
According to recent Proofpoint research, eight extensions for the Google Chrome web browser have been compromised by attackers, sending malicious ads to the affected users. In a report, Proofpoint explained that the authors of these extensions had their credentials stolen, allowing the attacker to take over.
The attacks occurred primarily in July and August 2017, with the attackers getting the credentials through a phishing scheme, the report said. This means that victims were exposed to malicious popups and potential schemes for stealing their credentials as well.
According to the report, these eight extensions were likely compromised:
– Web Developer 0.4.9
– Chrometana 1.1.3
– Infinity New Tab 3.12.3
– CopyFish 2.8.5
– Web Paint 1.2.1
– Social Fixer 20.1.1
– Betternet VPN
One of the first indications of this attack surfaced on August 2, when developer Chris Pederick reported his Web Developer for Chrome extension had been hijacked.
After checking to make sure that the extension has been installed, it will retrieve a ga.js file that allows it to steal the host’s credentials and swap out legitimate ads for malicious ones. While they did substitute ads for a range of websites, many of the malicious ads represented adult sites, the Proofpoint report said.
In addition to hijacking traffic and driving users to questionable affiliate programs, it has also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.
Proofpoint did note that Cloudflare took immediate action to remove the malicious activity that was reported to them.
Source | TechRepublic