More than 500 extensions downloaded from the Chrome Web Store have clandestinely uploaded private browsing data to hacker-controlled servers. The conclusion came from a study carried out by the Google Chrome team itself, in partnership with two researchers, the first to identify the fraudulent advertising scheme. After 1.7 million users were affected, the company identified the extensions and has already deleted them from the Chrome Web Store.
Chrome extensions are used to personalize the Internet browser, change user interfaces, block ads or manage cookies, for example. However, Jacob Rickerd, a computer security engineer at Duo, and independent researcher Jamila Kaya, say the extensions they discovered are part of a malicious advertising campaign that also collected data from the Internet user.
In this particular case, hackers redirected the victims of legitimate online ad streams to pages with malware. "These extensions were commonly presented as those that offered advertising as a service," explain the researchers.
The campaign has been active since January 2019, with action to scale between March and June. Initially, the researchers identified 71 extensions with malware, while Google identified 430, also related to this campaign, generally without ratings on the Chrome Web Store and with a very similar code.
Once transferred, the extensions would connect users to a command and control server, which would then filter private browsing data without their knowledge. But, in addition, the extension would redirect Internet users to various domains with advertising streams. Although a large part of these ad streams are "genuine", they were often associated with malicious advertising streams that redirected users to malware and phishing landing pages.
Most of the data discovered by the researchers was identified with CRXcavator, Duo's free, automatic Chrome security assessment tool. In the "black" field of malware, one of the most recent warnings was from Kaspersky, warning of sharing malware disguised as Coronavrus documents. In January this year, SAPO TEK identified a new phishing wave, with Portuguese companies becoming the bait again.