Duo Security firm recently identified about more than 500 browser extensions which have been downloaded over millions of times are stealing the users data and uploading it on to servers controlled by attackers for such use. It was found that these extensions have been operating from around January of 2019, with the flow increasing quickly from March through June. However, the firm notes the possibility that they could have been operation for much longer, possibly since 2017.
Jamila Kaya, an independent researcher at the Cisco owned firm found that they were a part of a long-running malvertising and ad-fraud scheme. The firm, in their first round, had identified 71 such extensions which had more than 1.7 million downloads on the Chrome Web Store. They had reported these findings to Google when they discovered about 400 more such extensions.
While the extensions shared nothing in common when it comes to their functionality, they did share the same source code, Kaya found. She discovered these extensions with the help of CRXcavator, a tool that Duo Security has developed and released to the public for free use. This tool measures the security of any Chrome extension.
These shady extensions were introduced as utilities that provided various promotions. But the fact was that the extensions brought in ad fraud and malvertising by rifling through the browsers. The plugins would then be connected to a website that sounds similar to the extension the user had installed to check for instructions on whether they should uninstall themselves.
The plugins would then redirect the browsers to the hard-coded servers for additional instructions on what needs to be done. This is where the browsers end up uploading data, advertisement feed lists or domains for future redirects. The browsers simply followed and did what was asked through the redirections.
It was observed that while the redirections were mostly harmless, it became malicious and fraudulent once the number of redirections was considered. A browser was redirected upwards of 30 times in some cases. Added to this is the willful concealment of most of the ads from the users, and a combination of these two where the redirects would lead the user to malware and phishing sites.
It is noted by Duo Security that these extensions were created in a such a way that the actual intention regarding the advertising always remains hidden from the users. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms” states the report by the security firm.
Google has long since disabled the extensions and marked them as malware so that users can no longer install nor access them. In the same vein, it is helpful if a user employed vigilance when installing and granting permissions to the extensions, and remove any suspicious extensions that they do not recognize or have not been used in a long time.