Select Page

Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers.

These extensions were part of a malvertising and ad-fraud campaign that’s been operating at least since January 2019, although evidence points out the possibility that the actor behind the scheme may have been active since 2017.

The findings come as part of a joint investigation by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations.

Upon sharing the discovery privately with Google, the company went on to identify 430 more problematic browser extensions, all of which have since been deactivated.

“The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms,” said Kaya and Duo Security’s Jacob Rickerd in the report.

A Well-Concealed Malvertising Campaign

Using Duo Security’s Chrome extension security assessment tool — called CRXcavator — the researchers were able to ascertain that the browser plugins operated by surreptitiously connecting the browser clients to an attacker-controlled command-and-control (C2) server that made it possible to exfiltrate private browsing data without the users’ knowledge.

The extensions, which functioned under the guise of promotions and advertising services, had near-identical source code but differed in the names of the functions, thereby evading Chrome Web Store detection mechanisms.

images from Hacker News