• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 20th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

4 Malicious Chrome Extensions Put 500k Users at Risk of Click Fraud

January 17th, 2018 Waqas Malware, Security 0 comments
4 Malicious Chrome Extensions Put 500k Users at Risk of Click Fraud
Share on FacebookShare on Twitter

Presence of spyware and malware in Chrome browser extensions we use to surf the web is nothing new as every other day we hear about a new strain of malware identified in an extension. Sometimes even the extension turns out to be fake and a piece of malware.

According to a report from ICEBRG, four Google Chrome extensions have been identified as malicious and targeting more than half a million Chrome users as well as workstations of a majority of high-profile organizations operating globally. The four extensions include:

More: Chrome Extension with 105,000 installs is a Cryptocurrency Miner

  • Change HTTP Request Header
  • Lite Bookmarks
  • Nyoogle – Custom Logo for Google
  • Stickies – Chrome’s Post-it Notes

It is worth noting that Lite Bookmarks and Change HTTP Request Header have been removed from official Google Play Store.

Four Nefarious Google Extensions Putting Millions of Users at Risk of Click-fraud and SEO Manipulation

Change HTTP Request Header extension

The findings of the research were published in a blog post on Monday 15th January by two ICEBRG researchers namely Justin Warner and Mario De Tore. As per the report, these malicious extensions contain suspicious coding that affected over 500,000 users worldwide including corporate workstations. The extensions are used to carry out “click fraud” and “search engine optimization (SEO) manipulation.”

Moreover, these offer a strong foothold to threat actors because they can leverage these extensions to obtain access to corporate networks and user information. These extensions were discovered while the team of researchers at ICEBRG was investigating the sudden increment in outbound network traffic between a European VPS provider and a customer’s workstation.

“Chrome’s JavaScript engine evaluates JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP),” wrote Warner and De Tore.

Researchers noted that these four extensions didn’t contain an obvious coding but used a combination of two different features that allowed attackers to inject and execute arbitrary, malicious JavaScript code whenever a permission request to retrieve JSON was received by an update server from an external source. When injected the malicious script creates a WebSocket tunnel using the change-request.info and then the extension uses it to proxy browsing traffic through the browser installed on the targeted machine.

“The threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties,” wrote ICEBRG researchers.

Four Nefarious Google Extensions Putting Millions of Users at Risk of Click-fraud and SEO Manipulation

Overview Diagram of Activity shared by researchers

One of the two features access the infected system for Chrome debugging tools and if detected it immediately halts the execution of the injected code. This has been termed by researchers as an anti-analysis technique used to avoid detection.

Currently, it is not clear whether same attackers are involved or there are different threat actors behind each of the four malicious extensions but it is evident that similar TTPs (techniques, tactics, and procedures) have been used. Researchers noted that these techniques can also allow sophisticated hackers to establish a beachhead into “target networks.”

Google, US Computer Emergency Readiness Team (US-CERT) and the National Cyber Security Centre of The Netherlands (NCSC-NL) have already been notified along with affected customers of ICEBRG regarding the four extensions.

More: Hackers using Google Adwords & Google Sites to spread malware

  • Tags
  • Browser
  • Chrome
  • Fraud
  • Google
  • hacking
  • internet
  • Malware
  • Scam
  • security
  • SEO
  • Technology
Facebook Twitter LinkedIn Pinterest
Previous article Virtual Reality (VR) Porn App Exposed Personal Data of 20k Users
Next article New Android Malware records audio, video & steals WhatsApp messages
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Malwarebytes says it was also breached by SolarWinds hackers

Malwarebytes says it was also breached by SolarWinds hackers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

22
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

47
Malwarebytes says it was also breached by SolarWinds hackers
Hacking News

Malwarebytes says it was also breached by SolarWinds hackers

60

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us