Posted on August 7, 2017 at 12:48 PM
Hackers Compromised Chrome Extension with Over 1 Million Users
A popular trend for spammers and cyber criminals in the last couple of years was the tactic of buying web extensions from the developers, secretly updating them so they inject bulk advertisements into every site user visits without letting the user know, resulting in them creating a big income.
But they’ve recently managed to take it a step further: from their usual business model, investing, they’ve switched to phishing attacks meant to hijack popular browser extensions.
Recently, there have been reports on cyber criminals compromising the Chrome Web Store account of a German developer team and hijacking an extension known as Copyfish, which they then modified so it contained ad-injection capabilities which would allow it to send spam correspondence to users.
More recently, another extension for Chrome has been compromised, this time it is so-called Web Developer. Unknown attackers updated the software with the new option being the capability to inject advertisements into web browsers of more than 1 million people.
Late Wednesday, Chris Pederick alerted of the phishing attack made by unknown hackers to his Google account, during which they’ve managed to update the Web Developer to a new version, 0.4.9, and send it off into the world and to 1,044,000 of the extension’s users. Chris Pederick is the creator of Web Developer Chrome extension, which offers various web development tools.
The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded ?
— Chris Pederick (@chrispederick) August 2, 2017
In both of these cases, cyber criminals gained access to the developers’ Google accounts using phishing attacks, then hijacked the extensions in question in order to update them so they would perform malicious acts.
Interestingly enough, the Firefox version of either of the extensions in question was not affected during the attack.
The developer explained the way the now updated, malicious software worked – it would build fetched JavaScript code from the web and run it within users’ web browsers to force the advertisements onto web pages.
The plugin allowed itself access to everything that is happening on the browser of a user, including reading all the website content to intercept traffic, sniff keystrokes, or any imaginable task.
The hijacking of the Web Developer extension could prove to be a difficulty for users, those who are professional designers especially and have the habit of accessing their official accounts on the same browser.
According to Pederick, this malicious update of the software could have done worse damage, because he had found out about the attack within five to six hours since it happened and then immediately pulled the extension from the Chrome Store and fixed it within an hour.
Still, during the time the update went unnoticed, it managed to make a good amount of commission from the ads.
The users of Web Developer are strongly advised to update their extensions to version 0.5 as soon as possible. It is also recommended for them to change their passwords for all web accounts.