Posted on February 16, 2020 at 4:39 PM
Security researcher Jamila Kaya discovered that the first batch of Google Chrome extension has been hit by a malicious attack. She discovered the malicious extension when she was carrying out some routine tasks of hunting for cyber-threats.
When the attack was discovered, Google had no option than to remove more than 500 extensions from its web store. Sadly, over 1.7 million Chrome users had downloaded and installed the affected extensions from Google’s web store.
Some of the malicious extensions already taken down
Research by the Cisco Duo team revealed that the malware operation has been active since 2018, as published in a recent report.
After discovering the malware attack, Kaya contacted the Cisco team and informed them about the infected Chrome extensions and the possibility of the attack being a part of a bigger malware campaign. Kaya said the extensions offered advertising services, and they were among a network impersonator plugins that share identical functionalities.
She further mentioned that through teamwork, she and the Due team succeeded in taking down several dozens of the affected extensions. They also used CRXcavator.io to discover 70 matching patterns of the affected extensions, before relaying their discovery to Google.
The Cisco Duo team also revealed that there are increased concerns of the attackers using legitimate internet activity to carry out their attack. They said one of the most common channels used by the actors is through advertising cookies, which can be redirected to them.
The method is commonly known as “malvertising”, which is strangely difficult to spot. It is usually used within other programs and acts as a means for different forms of other attacks, including exploitation, phishing, data exfiltration, as well as ad-fraud.
The Cisco team also pointed out that the code in the affected extensions can send users to affiliate links on sites or even redirect them to a download site that contains malware.
Also, extensions were equally used to redirect browsers to different domains through adverts. Although many of these ads were genuine (including ads from Best Buy, Dell, and Macy’s), they also come with malware ad streams that redirect users to phishing and malware sites.
Browser extensions could face various problems
The Cisco researchers also pointed out the vulnerability of browser extensions to malicious attacks because of their nature. In 2017, a Google Chrome extension was infected by a malware which distributed phishing emails and stole lots of user data. Two years ago, researchers discovered that four extensions of the Google Chrome Web Store were infected by malware. The web store had a total user count of over 500,000.
And just last month, the Mozilla Firefox and Google Chrome team discovered a malicious web extension that stole data and performed remote code, as well as other negative actions.
Why hackers attack browser extensions
A security researcher at PerimeterX, Aneet Naik, said recently that browser extensions are the wide-wide-west of the internet. The chrome store alone has more than 200,000 available extensions. However, users do not know that these extensions can gain access to most of the data on any page, which includes their credit card numbers, banking information, and their email details.
Although most of these extensions offer value-added services, they also tap important personal information from users. When they are attacked, the actors could easily collect and abuse user data.
Google was quick to response
The researchers added that when Google was contacted about the development, it responded swiftly. A Google spokesman said the company has always been responsive anytime the company was contacted by the research community on things that violate Google’s policies.
Apart from the quick response, Google reiterated that it usually carries out sweeps to discover extensions that may be vulnerable to attacks via the use of behaviors, code, and comparative techniques.
Although Google has taken down the affected Chrome extensions, hackers could still lodge other attacks on extensions. Google has advised users to check their browser extensions and remove any unused ones. They should also get updated regularly, according to Google.