• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

 | 

Malicious AI-generated npm package hits Solana users

 | 

Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

 | 

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

 | 

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Four malicious Chrome extensions affected over half a million users and global businesses

Four malicious Chrome extensions affected over half a million users and global businesses

Pierluigi Paganini January 16, 2018

Four malicious Chrome extensions may have impacted more than half million users likely to conduct click fraud or black search engine optimization.

More than half million users may have been infected by four malicious Chrome extensions that were likely used to conduct click fraud or black search engine optimization.

According to ICEBRG, the malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks.

“Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally.” states the analysis published by  ICEBRG. “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.”

The researchers noticed an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider. The analysis of the HTTP traffic revealed it was to the domain ‘change-request[.]info’ and was generated from a Chrome extension with ID ‘ppmibgfeefcglejjlpeihfdimbkfbbnm’ named Change HTTP Request Header that was available via Google’s Chrome Web Store.

Malicious Chrome Extensions

The extension does not contain any malicious code, but the combination of “two items of concern that” could allow attackers to inject and execute an arbitrary JavaScript code via the extension.

The experts highlighted that Chrome extensions are not allowed to retrieve JSON from an external source and execute JavaScript code they contain, but need to explicitly request its use via the Content Security Policy (CSP).

Once enable the ‘unsafe-eval’ (Figure 3) permission to retrieve the JSON from an external source the attacker can force the browser to execute malicious code.

“When an extension does enable the ‘unsafe-eval’ (Figure 3) permission to perform such actions, it may retrieve and process JSON from an externally-controlled server.” “This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.” continues the analysis.

The Change HTTP Request Header extension is able to download obfuscated JSON files from an external source (‘change-request[.]info’), by invoking the ‘update_presets()’ function.

The Chrome extension implemented an anti-analysis technique to avoid detection.

The extension checks the JavaScript for the presence of native Chrome debugging tools (chrome://inspect/ and chrome://net-internals/), and if detected, halts the injection of malicious code segment. The Chrome extension implemented an anti-analysis technique to avoid detection.

Once injected the code, the JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

During the analysis, the experts observed that this feature was observed by threat actors for visiting advertising related domains likely to conduct click fraud scams.

“The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.” continues the analysis.

The security experts discovered other Chrome extensions with a similar behavior and using the same C&C server.

  • Nyoogle – Custom Logo for Google
  • Lite Bookmarks
  • Stickies Chrome’s Post-it Notes
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –Malicious Chrome extensions, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Chrome Chrome extensions click fraud Cybercrime Hacking

you might also like

Pierluigi Paganini August 02, 2025
China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions
Read more
Pierluigi Paganini August 01, 2025
Malicious AI-generated npm package hits Solana users
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

    Intelligence / August 02, 2025

    Malicious AI-generated npm package hits Solana users

    Malware / August 01, 2025

    Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

    Hacking / August 01, 2025

    ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

    APT / August 01, 2025

    CISA released Thorium platform to support malware and forensic analysis

    Cyber Crime / August 01, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT