Google announced it removed 500 malicious extensions. The Chrome extensions stole data of 1.7 million users. But the extensions were removed after they injected malicious ads used to send user browsing data to hacked servers.
The malvertising and ad-fraud campaign using these has been operating since January 2019. Still, the actor may have been active since 2017.
The extensions were discovered after a joint investigation of the security researcher Jamila Kaya and Cisco-owned Duo Security. They unearthed 70 Chrome Extensions with over 1.7 million installations.
The giant identified 430 more problematic browser extensions. All of these have since been deactivated.
Kaya and Duo Security‘s Jacob Rickerd mentioned in their report that this happens as users remain underserved by protection mechanisms. Thus, “the prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous”.
The researchers discovered that the plugins were operated by secretly connecting the clients to an attacker-controlled comand-and-control (C2) server. As they have noted, his made it possible to steal the private browsing data without the users’ knowledge. The extensions evaded Chrome Web Store detection mechanisms by using near-identical source code, but different names for the functions.
How did the Chrome Extensions work?
The plugins were programmed to request extensive permissions. As a result, these granted access to clipboard and the locally stored cookies stored in the browser. So, periodically they connected to a domain that shared the same name as the plugin. Thus, the plugins could check for instructions on getting themselves uninstalled from the browser.
After the initial contact with the site, the plugins established contact with a hard-coded C2 domain, to await further commands. Also, they used to receive the locations to upload user data and updated lists of malicious ads and redirect domains. Afterwards, they redirected users’ browsing sessions to a mix of legitimate and phishing sites.
The report mentions that: “A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy.” Also, “some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site.”
Chrome had other data-stealing extensions
But this is not the first time when Chrome extensions stole data. Security researcher Sam Jadali and The Washington Post uncovered a massive data leak called DataSpii, last July. These were performed by Chrome and Firefox extensions installed on four million users’ browsers.
The add-ons used to collect browsing activity, including personally identifiable information. Afterwards, they shared it with an unnamed third-party data broker. Then, the latter passed it on to an analytics firm – Nacho Analytics (now shut down). The company sold then the collected data to its subscription members.