• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 6th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Cyber Crime
Phishing Scam

7 More Chrome Extensions Hacked via Phishing Scam

August 16th, 2017 Waqas Cyber Crime, Phishing Scam, Privacy, Scams and Fraud, Security 0 comments
7 More Chrome Extensions Hacked via Phishing Scam
Share on FacebookShare on Twitter

Google Chrome Extensions on the Radar of Cybercriminals of late- Security Experts identify seven more extensions to be compromised.

Last month we reported that a Google Chrome extension Copyfish had been infected because the developer opened a phishing email using his Google account credentials. At that time we assumed it to be a mistake on the developer’s part and brushed off the likelihood of another such incident. However, we have been proven wrong since Proofpoint security researchers are claiming that at least seven more Chrome extensions are infected.

Researchers state that attacker got hold of Google Account credentials through phish scam and managed to compromise seven widely downloaded extensions, which has put so many users at risk of credentials theft and traffic hijacking.

In their blog post, Proofpoint researchers exposed the names of compromised Chrome extensions:

“We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10], “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12] were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June,” read the blog post.

This means cyber criminals and spammers are endlessly searching for novel ways to drive traffic to their partners’ programs and post malicious, unwanted ads on victims’ browsers. The attacks were noted at the end of July and at the beginning of August. After the hackers obtained developer’s credentials, they were able to publish “malicious versions of legitimate extensions,” stated Proofpoint researchers.

Just like the methodology adopted to infect Copyfish extension, cyber criminals deceived extension coders to give away Google Account credentials, which were used to access Google developer accounts. These accounts were linked to certain Chrome extensions; once access was established the hackers modified them with malicious code and compromised Google developer accounts.

[fullsquaread][/fullsquaread]

Proofpoint research team explained that the infected extension could substitute advertisements on the victims’ browsers, hijack incoming traffic from authentic ad networks and trick victims into repairing their computer systems by presenting fake JavaScript alerts. Adult websites were singled out when substituting ads while much focus was laid on an unnamed ad network.

“(The) malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used,” revealed Proofpoint blog post.

The affiliate landing pages “browser-update[.]info, Browser-Update[.]info and searchtab[.]win” depicted substantial traffic; such as 920,000 visits were recorded for searchtab[.]win in a month. It, however, is not clear whether the entire traffic was generated through infected Chrome extensions or not.

On August 12th, developer Chris Pederick posted a tweet claiming that Chrome’s Web Developer extension has been compromised and a hacked version of 0.4.9 extension was being uploaded and distributed. It was this tweet that alerted Proofpoint researchers regarding latest extension hijacks. Proofpoint was able to retrieve the compromised version and detach the malicious code. An analysis of the coding revealed that attackers retrieved a remote file titled ga.js over HTTPS. The server’s domain was generated through domain generation algorithm.

“The code from this first step allows the threat actors to conditionally call additional scripts including some to harvest Cloudflare credentials,” researchers said.

  • Tags
  • Chrome
  • Cyber Crime
  • Google
  • hacking
  • internet
  • Phishing
  • Phishing Scam
  • Privacy
  • security
  • Technology
Facebook Twitter LinkedIn Pinterest
Previous article Nigerian Man Hacked Thousands of Global Oil & Gas and Energy Firms
Next article LG service centers in S.Korea Possibly Hit By WannaCry ransomware
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers
Cyber Attacks

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining
Security

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Top Russian hacker forums Maza, Verified hacked; data leaked online
Hacking News

Top Russian hacker forums Maza, Verified hacked; data leaked online

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us