Cybersecurity firm Proofpoint has published a report naming 8 Chrome extensions which have been hacked. Over the course of four months, these extensions have been hijacked from their developers and used to serve malicious code and ads to their users. In previous cases, attackers used phishing techniques to steal login information.
The affected extensions are Copyfish, Web Developer, Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. Total installs for these apps comes to almost 4.8 million users. Tech site Bleeping Computer also reported about phishing attempts against the developer for two other Chrome extensions. Google has also been sending alert emails to developers warning them to expect a rise in phishing attempts.
Once attackers have stolen a developer’s login information, they take over the extension’s code repository, add malicious code, repackage the extension and push out an update with the corrupted code. These attacks started in May, but Proofpoint researcher Kafeine linked some of the infrastructure to another malicious extension using cookie content scripts back in June 2016.
For now, users with the affected extensions should remove them from Chrome. Some of the developers are still trying to regain access to their accounts, so there could be no telling when these extensions will be safe again. Kafeine stated that although there is no direct proof linking all of these attacks, it is still possible that the same group is behind them. The researcher is more worried about the stolen Cloudflare credentials, believing that they could become a new platform for launching attacks.