- Google removes 500 malicious extensions from Chrome Web Store
- The extensions were part of a fraud malvertising campaign from January 2019
- Collecting a dubious amount of information from the user, they redirect the user to ad sites
- Generating revenue through ad fraud, phishing and installing malware are threats posed by them
- Atleast 1.7 million users affected by this
- List of extensions released, users advised to not activate them at any cost
Google Chrome has recently removed 500 extensions that were posing a serious risk to users.
The world of hacking and cybersecurity is no stranger to the fact that browser extensions are widely used as weakspots to steal privacy of users.
A security researcher Jamila Kaya used a tool called CRXcavator, released by CISCO Duo Security, to identify 70 such malicious extensions in Google Chrome that were flooding the users with adware and exposing them to phishing and malware threats in the name of being innocent, useful software.
Read the complete article to know what happened, if you are at risk and what can you do to improve your browser security.
The malvertising browser extensions in Google Chrome
Delving deep into the extensions, Jamila began with analysing MapsTrek Promos and CrushArcade Advertisements, two plugins that surprisingly have the same code with minor differences.
What is similar is the external sites they contact and the level of permissions that they ask.
“The code on the left from CrushArcade references the same C2 sites but adjust to reference a “CA” network (Crush Arcade) and is under the name adapt_timetable.js, while the one on the right references “MT” (MapsTrek) and is called addition_thread.js,” says Duo in its research.
Comparing the code for the two malicious plugins. Source: https://duo.com/labs
- The plugins contact external sites like Mapstrek<dot>com, ArcadeYum<dot>com to receive instructions.
- They try to evade detection from sandboxes by redirecting to gdprcountryrestriction<dot>com site.
- They contact attacker’s command and control domains like DTSINCE<dot>com to receive more instructions, advertising feed details.
- The plugins also collect huge amounts of data from the user without their knowledge, let alone consent.
- They redirect the user to sites and shows them large amounts of genuine and fraud ad content.
While not all ads are fraud and illegitimate, the main aim of the extensions is to generate revenue through ad fraud and malvertising.
After digging up some more, Jamila found that its not just the adware that the users need to be worried about.
The sites mentioned in the plugins are also connected to malware and phishing.
Missouri has even marked DTSINCE<dot>com as phishing.
That’s why the security risk posed by these extensions is highly critical.
They start with adware and then upgrade their code to malware.
Sometimes, the same actor who is running these adware campaigns is also running malware campaigns and it needs no explaining why you shouldn’t trust applications from developers you have hardly heard of.
Who is behind these 500 malicious extensions?
According to the research, the threat actor has been active since January last year, while cranking up a notch of their operations in mid 2019.
However, technical details like the date of registry of attacker’s domains reveal that it’s been present since 2017.
The domain name system lookup hinted that the attacker has registered many sites to carry out their phishing campaigns but enough information isn’t available to take any names.
What did Google do about the infected extensions?
Google is known to take its user security seriously and hence, worked with Jamila and Duo to identify more such extensions, a total of 500, and removing them from the Chrome Web Store.
The names of the extensions have been released publicly and users have been sent a warning message asking them not to re-activate those affected extensions.
Mapstrek.com, Gameschill.com, Recipeally.com, easytoolonline.com, playpopgames.com, Arcadeyum.com, MapsFrontier Advertisement Offers are some of the plugins included in the list.
Please check the full list of indicators of compromise and make sure that you have none of them installed on your browser.
We also advise you to maintain the best possible standard of cyber security hygiene while surfing the web. You can also use crxcavator.io to check the risks associated with extensions before adding them to your browser.
What do you think about this news? Have you come across any suspicious extension with a similar name? Tell us your thoughts and opinions in the comments section.
You can also share some tips on how to maintain your browser privacy with others. Share this with your friends, family and colleagues and spread some cybersecurity.
Stay tuned, stay safe.