Security researcher Jamila Kaya discovered that the first
batch of Google Chrome extension has been hit by a malicious attack. She discovered the malicious
extension when she was carrying out some routine tasks of hunting for
When the attack was discovered, Google had no option than to remove more than 500 extensions from its web store. Sadly, over 1.7 million Chrome users had downloaded and installed the affected extensions from Google’s web store.
Research by the Cisco Duo team revealed that the malware
operation has been active since 2018, as published in a recent report.
After discovering the malware attack, Kaya contacted the Cisco team and informed them about the infected Chrome extensions and the possibility of the attack being a part of a bigger malware campaign . Kaya said the extensions offered advertising services, and they were among a network impersonator plugins that share identical functionalities.
She further mentioned that through teamwork, she and the
Due team succeeded in taking down several dozens of the affected extensions.
They also used CRXcavator.io to discover 70 matching
patterns of the affected extensions, before relaying their discovery to Google.
The Cisco Duo team also revealed that there are increased
concerns of the attackers using legitimate internet activity to carry out their
attack. They said one of the most common channels used by the actors is through
advertising cookies, which can be redirected to them.
The method is commonly known as “malvertising”, which is
strangely difficult to spot. It is usually used within other programs and acts
as a means for different forms of other attacks, including exploitation,
phishing, data exfiltration, as well as ad-fraud.
The Cisco team also pointed out that the code in the
affected extensions can send users to affiliate links on sites or even redirect
them to a download site that contains malware.
Also, extensions were equally used to redirect browsers to
different domains through adverts. Although many of these ads were genuine
(including ads from Best Buy, Dell, and Macy’s), they also come with malware ad
streams that redirect users to phishing and malware sites.
The Cisco researchers also pointed out the vulnerability of browser extensions to malicious attacks because of their nature. In 2017, a Google Chrome extension was infected by a malware which distributed phishing emails and stole lots of user data. Two years ago, researchers discovered that four extensions of the Google Chrome Web Store were infected by malware. The web store had a total user count of over 500,000.
And just last month, the Mozilla Firefox and Google Chrome
team discovered a malicious web extension that stole data and performed remote
code, as well as other negative actions.
researcher at PerimeterX, Aneet Naik, said recently that browser extensions are
the wide-wide-west of the internet. The chrome store alone has more than
200,000 available extensions. However, users do not know that these extensions
can gain access to most of the data on any page, which includes their credit
card numbers, banking information, and their email details.
Although most of
these extensions offer value-added services, they also tap important personal
information from users. When they are attacked, the actors could easily collect
and abuse user data.
The researchers added that when Google was contacted about
the development, it responded swiftly. A Google spokesman said the company has
always been responsive anytime the company was contacted by the research
community on things that violate Google’s policies.
Apart from the quick response, Google reiterated that it
usually carries out sweeps to discover extensions that may be vulnerable to attacks
via the use of behaviors, code, and comparative techniques.
Although Google has taken down the affected Chrome extensions, hackers could still lodge other attacks on extensions. Google has advised users to check their browser extensions and remove any unused ones. They should also get updated regularly, according to Google.