Google Chrome extension developers are increasingly being targeted by attackers in a bid to hijack user’s browser traffic by phishing for sensitive information.
Chrome Extensions on Attackers Hit List
Recently it was reported that a Google Chrome extension by the name of Copyfish was compromised by its developers after attackers were able to trick one of their team members into responding to a phishing email providing the attackers his credentials. This was no coincidence. It has been reported that at least another seven Chrome extensions have been compromised by attackers recently. An eerie sense of is creeping up on Chrome users, whether Google and extensions’ developers can guarantee user’s cybersecurity and protect their information.
Back in July, developer credentials belonging to A9t9 Software were severely compromised, whereby the highly popular free optical character recognition extension also known as “Copyfish” was hijacked by attackers and effectively used to send spam in an organized phishing campaign. Researchers are cautioning that attackers have upped their game since, seeking to leverage large numbers of Chrome extensions to hijack traffic and engage in malvertising. Once the attackers obtain the credentials of the developer, most likely that would be through emailed phishing campaigns, malicious versions of the legitimate extensions could be published.
Newly Compromised Extensions and The Threat They Pose To You
Researchers at Proofpoint released a report on Monday eliciting the full list of compromised extensions including Social Fixer (20.1.1), Web Paint (1.2.1), Chrometana (1.1.3), Infinity New Tab (3.12.3), Developer (0.4.9). All listed extensions are believed to have been modified by the same individual using the same modus operandi. The report also makes clear of researchers’ inclination to believe that the Chrome extensions TouchVPN and Betternet VPN were also compromised via the same method earlier in June this year.
The malicious behavior exhibited by the newly compromised extensions spans from substituting ads on user’s browser; hijacking online traffic from authentic and legitimate advertising networks; and to victims being tricked under false pretense to repair their device, by clicking on fake JavaScript alerts. Hence this leads to the user being prompted to repair their device which redirects them to an affiliate program from which the attackers essentially profit from.
The report also suggests that in addition to hijacking traffic and driving victims to questionable affiliate programs, attackers have also been found capable of gathering and obtain Cloudflare credential, providing them with new means by which they could device cunning potential future attacks on users. Although some websites were targeted by the attackers, researchers have also pointed out that the attackers mostly focused on adult websites with carefully designated substitutions.
If one carefully analyses the affiliate landing pages used by the attackers – browser-update[.]info and searchtab[.] it will be revealed that there is a substantial traffic flowing through them. What is even more striking being that searchtab[.]win alone received around 920,000 visits in one month although it remains unclear as to the proportion of traffic generated by the hijacked extension.
Chris Pederick who is one of the developers being affected by the extension hijackings and the developer of the Web Developer Chrome extension had attracted researchers’ interests and prompted a quick response by the cybersecurity community after he tweeted his extension had been compromised.
Researchers were able to get their hands on the compromised version of Pederick’s extension and isolate the injected malicious code. Delving into it, the code reveals itself to have allowed attackers to retrieve a remote file by the name of “ga.js” over HTTPS from a server with a domain that is generated by an automatic domain generator algorithm. What this means is that the first step of the code will allow the attackers to conditionally call additional scripts with a portion of those scripts used to harvest Cloudfare credentials, hence bypassing Cloudfare security and allowing attackers to substitute ads on websites.
Phishing for Google Chrome extensions may not be a priority of many developers, hence why the issue has taken everyone aghast and unexpectedly. However, with an insightful report on the phishing issue now available, it appears that developers have no choice but to devote more of their time specifically on not falling for phishing attacks.
