Over 4.7 million users could be at risk after being exposed to malicious adverts and credentials theft due to developer accounts of popular chrome extensions being hijacked by cyber criminals.
A phishing campaign run by Cyber Criminals in July that targeted chrome extension developers, with the purpose of harvesting their Google account credentials, has led to 8 very popular chrome extensions being compromised.
“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.” reported the analysis of the security firm Proofpoint.
Figure 1 – example of phishing email- source Proofpoint
Using the compromised developer accounts, the threat actors were able to inject code in to the legitimate extensions that would serve its users substituted adverts to adult websites, windows repair scams, and in some cases credentials harvesting. Research conducted by Proofpoint reported that the affected extensions include:
Some of the tactics used by the threat actors were to check whether the Chrome Extension had been installed for 10 minutes – commonly thought to bypass detection.
if ((Date.now() – installed) > 10 * 60 * 1000)
This check was made before proceeding with the rest of the extension code which resulted in retrieving a remote file “ga.js” from a server which the domain is generated via DGA (Domain Generation Algorithm), this call is made over HTTPS.
One of the objectives of compromised version of the extension was to attempt to substitute legitimate adverts on the victim’s browser, hijacking traffic from legitimate advertising networks and replacing with services (usually adult in nature), that the threat actors would profit from.
“While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites” continues Proofpoint.
The adverts worked for a specific set of 33 banner sizes shown in the code snippet from 973820_BNX.js?rev=133 below:
Figure 2 Banner size for substituted malicious adverts source Proofpoint
Also, it was noted in the research conducted by Proofpoint concluded that similar pop up alerts known to be associated with the compromise of Infinity New Tab extension in May and fake EU cookie-consent alert last year were also found in this campaign.
In summary, attackers are increasingly targeting developers through a phishing email, as a way to gain access to a large user base to quickly generate traffic to their affiliate schemes or gather credentials than can be later harvested for profit.
This is a worrying trend and developers need to be more aware of the increased risks, it was only 6 months ago when researchers discovered that attackers were targeting developers of Github repositories to gain access to fintech or high tech companies.
The tactics on display in this particular campaign are not necessarily new but demonstrate the potential widespread impact of the phishing emails, but a question that hasn’t really been answered is why didn’t the developers have 2FA for their Google developer accounts?
About the author: Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab
https://www.linkedin.com/in/itsecurity/
https://twitter.com/cybersecstu
Enjoy Stuart’s talk at Security Scotland Meet Up
[adrotate banner=”9″] |
(Security Affairs – hacking, Chrome extensions)
[adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.