Cyber Criminals Hijack Chrome Extensions and put 4.7 Million Users at Risk

Developer accounts of popular chrome extensions being hijacked by cyber criminals, over 4.7 million users are at a risk of cyber attack.

Over 4.7 million users could be at risk after being exposed to malicious adverts and credentials theft due to developer accounts of popular chrome extensions being hijacked by cyber criminals.

A phishing campaign run by Cyber Criminals in July that targeted chrome extension developers, with the purpose of harvesting their Google account credentials, has led to 8 very popular chrome extensions being compromised.

“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.” reported the analysis of the security firm Proofpoint.

Figure 1 – example of phishing email- source Proofpoint

Using the compromised developer accounts, the threat actors were able to inject code in to the legitimate extensions that would serve its users substituted adverts to adult websites, windows repair scams, and in some cases credentials harvesting. Research conducted by Proofpoint reported that the affected extensions include:

Web Developer- 1,044,016 users
Chrometana- 597, 577 users
Infinity New Tab- 476, 803 users
CopyFish- 37,397 uses
Web Paint- 53,930 users
Social Fixer- 182, 083 users
TouchVPN- 1,031,690 users
Betternet VPN- 1, 334,517 users

Some of the tactics used by the threat actors were to check whether the Chrome Extension had been installed for 10 minutes – commonly thought to bypass detection.

if ((Date.now() – installed) > 10 * 60 * 1000)

This check was made before proceeding with the rest of the extension code which resulted in retrieving a remote file “ga.js” from a server which the domain is generated via DGA (Domain Generation Algorithm), this call is made over HTTPS.

One of the objectives of compromised version of the extension was to attempt to substitute legitimate adverts on the victim’s browser, hijacking traffic from legitimate advertising networks and replacing with services (usually adult in nature), that the threat actors would profit from.

“While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites” continues Proofpoint.

The adverts worked for a specific set of 33 banner sizes shown in the code snippet from 973820_BNX.js?rev=133 below:

Figure 2 Banner size for substituted malicious adverts source Proofpoint

Also, it was noted in the research conducted by Proofpoint concluded that similar pop up alerts known to be associated with the compromise of Infinity New Tab extension in May and fake EU cookie-consent alert last year were also found in this campaign.

In summary, attackers are increasingly targeting developers through a phishing email, as a way to gain access to a large user base to quickly generate traffic to their affiliate schemes or gather credentials than can be later harvested for profit.

This is a worrying trend and developers need to be more aware of the increased risks, it was only 6 months ago when researchers discovered that attackers were targeting developers of Github repositories to gain access to fintech or high tech companies.

The tactics on display in this particular campaign are not necessarily new but demonstrate the potential widespread impact of the phishing emails, but a question that hasn’t really been answered is why didn’t the developers have 2FA for their Google developer accounts?

About the author: Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab
From a background of threat intelligence, social engineering, and incident response, Stuart Pecks heads up Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.

https://www.linkedin.com/in/itsecurity/

https://twitter.com/cybersecstu

Enjoy Stuart’s talk at Security Scotland Meet Up

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, Chrome extensions)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.