8 Chrome Browser Extensions Hijacked

Nearly 5 million users potentially affected

Cybersecurity firm Proofpoint has published a report naming 8 Chrome extensions which have been hacked. Over the course of four months, these extensions have been hijacked from their developers and used to serve malicious code and ads to their users. In previous cases, attackers used phishing techniques to steal login information.

The affected extensions are Copyfish, Web Developer, Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. Total installs for these apps comes to almost 4.8 million users. Tech site Bleeping Computer also reported about phishing attempts against the developer for two other Chrome extensions. Google has also been sending alert emails to developers warning them to expect a rise in phishing attempts.

Once attackers have stolen a developer’s login information, they take over the extension’s code repository, add malicious code, repackage the extension and push out an update with the corrupted code. These attacks started in May, but Proofpoint researcher Kafeine linked some of the infrastructure to another malicious extension using cookie content scripts back in June 2016.

Kafeine made several observations about the recently affected extensions. The extensions wait at least ten minutes after installing or updating, fetch a JavaScript file from a random DGA-generated domain and then harvest Cloudflare credentials from the browser. Next, they replace legitimate ads with malicious ones, show a popup alerting users about an error and redirect them to a new website (as part of a redirect affiliate program). Most ad replacements occurred on adult sites, and for 33 specific banner sizes. 

For now, users with the affected extensions should remove them from Chrome. Some of the developers are still trying to regain access to their accounts, so there could be no telling when these extensions will be safe again. Kafeine stated that although there is no direct proof linking all of these attacks, it is still possible that the same group is behind them. The researcher is more worried about the stolen Cloudflare credentials, believing that they could become a new platform for launching attacks.