Researchers Say Attackers Stole Browser Data and Redirected Users to Malicious Sites
Google has removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data, according to a new report from security firm Duo Security. The thefts were part of a malvertising campaign that had been active for at least a year, the researchers say.
In a message to the researchers that it had removed the extensions, Google noted that it “regularly sweeps to find extensions using similar techniques, code and behaviors and take down those extensions if they violate our policies.”
While the malicious browser extensions have been removed, the researchers note that the malvertising campaign may have affected 1.7 million Chrome users who downloaded the extensions from the official Google Chrome Web Store. The campaign, which dates to at least January 2019, appears to have accelerated between March and June of last year, the Duo Security report, published Thursday, adds.
In the campaign that the researchers discovered, the Chrome extensions were modified by the fraudsters to harvest user data from their web browsers, which was then sent to servers that the scammers controlled, according to the report. Users were also redirected to malicious domains and landing pages.
The researchers noticed that much of the source code used to build these Chrome extensions was the same, meaning that they likely were the work of the same fraudsters or criminal group.
“The plugins have almost no ratings, and the source code of the plugins are nearly identical to each other,” Jamila Kaya, an independent security researcher, and Jacob Rickerd, an analyst for security firm Duo Security, note in the report. “The only substantial differences in the source code are the names of the functions. With a much larger number than similar plugins and services, it’s likely that a single change of all the function names reduces the similarity to other plugins enough to avoid detection mechanisms.”
The Duo Security report lists all 500 of the suspicious Chrome extensions, most of which were advertised as games, weather applications or plug-ins for maps and other navigations.
Over the years, security researchers have found that scammers and fraudsters have increasingly used browser extensions to plant malware and conduct other malicious campaigns.
In 2018, for example, researchers at Gigamon found four malicious extensions in the official Google Chrome store that affected more than 500,000 users.
Uncovering the Campaign
The latest investigation into extensions began when Kaya, the independent researcher, was conducting a routine threat hunting exercise and found about a dozen suspicious Chrome extensions that were posted in the official Google Chrome Web Store, according to the Duo Security report.
Using CRXcavator, a free, automated Chrome extension security assessment tool developed by Duo Security, Kaya eventually identified about 70 malicious Chrome extensions that all appeared to use the same code and had other similarities, according to the report.
After Kaya and researchers from Duo Security notified Google, the tech giant identified the additional 430 malicious Chrome extensions and removed all 500 from the online store, according to the report.
In most cases, the fraudsters used code to help obfuscate the extensions’ malicious activity, such as how these extensions would connected to a command-and-control server once downloaded, the researchers say.
“This was done in order to connect the browser clients to a command-and-control architecture, exfiltrate private browsing data without the user’s knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms,” according to the report.
A closer look at the campaign found that much of the advertising streamed to users who downloaded these extensions was tied to legitimate companiesm such as Macy’s, Dell or Best Buy, according to the report. These ad streams were delivered in such large volumes that the fraudsters would make money by fraudulently delivering click traffic, according to the report. At other times, the users were directed to malicious domains that were used for phishing and other scams.
In a January report that looked at malvertising trends in the third quarter of 2019, researchers at the security firm Confiant noted that while malvertising had slowed somewhat, fraudsters still managed to deliver some 4 billion ad impressions to generate fake clicks.
In 2018, Confiant researchers uncovered one of the largest malvertising campaigns, called Zirconium, which served as many as 1 billion ads across the web over the course of several years. The Zirconium campaign involved redirecting users to malicious sites or trying to get them to click using social engineering techniques (see: Online Advertising: Hackers’ Little Helper).
Knowing that extensions are frequently targeted by these types of fraudsters, Google recently updated its security and privacy requirements for developers who want to post their extensions in the company’s official online store. Now, developers must submit privacy guidelines with their extension and explicitly ask for permission from users before any extensions are downloaded.