500 malevolent Google Chrome Extensions has been eliminated from its Web Store after when Google found the presence of malicious ads and siphon off user’s browsing data to servers under the control of hackers.
Those Google Chrome Extensions were part of a malvertising and ad-fraud campaign that’s been operating at least since January 2019, although evidence points out the possibility that the actor behind the scheme may have been active since 2017.
The findings come as part of a joint inspection by security researcher Jamila Kaya and Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with over 1.7 million installations.
After sharing the finding privately with Google, the company continued for identifying 430 more problematic browser extensions, all of which have since been deactivated.
“The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms,” said Kaya and Duo Security’s Jacob Rickerd in the report.
A Hidden Malvertising Campaign
By using Duo Security’s Chrome extension security assessment tool which is called CRXcavator, the investigators were capable to determine that the browser plugins operated by unknowingly connecting the browser clients to an hacker controlled command and control (C2) server that made it possible to exfiltrate private browsing data without the users’ knowledge.
The Google Chrome Extensions, which worked under the affectation of promotions and advertising purposes, had near-identical source code but varied in the names of the functions and for this dodging Chrome Web Store detection mechanisms.
In addition to requesting extensive permissions that granted the plugins access to clipboard and all the cookies stored locally in the browser, they periodically connected to a domain that shared the same name as the plugin (e.g., Mapstrekcom, ArcadeYumcom) to check for instructions on getting themselves uninstalled from the browser.
After doing the initial contact with the website, the plugins eventually introduced into a connection with a hard-coded C2 domain, that is DTSINCEcom — looking for further commands, the locations to upload user data, and receive updated lists of malicious ads and redirect domains, which subsequently redirected users’ browsing sessions to a mix of legal and phishing sites.
“A huge portion of these are effective ad streams, leading to ads such as Macy’s, Dell, or Best Buy,” the report found. “Some of these ads could be considered legitimate; however, 60% to 70% of the time a redirect occurs, the ad streams reference a malicious site.”
Be Careful From Data-Stealing Google Chrome Extensions
In the past, data-stealing extensions have also been brought to light on the Chrome browser. Last year in July, security researcher Sam Jadali and The Washington Post uncovered a huge data leak called DataSpii (pronounced as data-spy) accomplished by opaque Chrome and Firefox extensions installed on as many four million users’ browsers.
Those add-ons took browsing history including personal information and shared those information with an unnamed third-party data broker that passed it on to an analytics firm called Nacho Analytics (now shut down), which sold the collected data to its subscription members in near real-time.
For now, the same rule of caution has been applied: review extension permissions, consider uninstalling extensions which is rarely used or switched to other software alternatives that don’t require invasive access to your browser activity.