According to recent Proofpoint research, eight extensions for the Google Chrome web browser have been compromised by attackers, sending malicious ads to the affected users. In a report, Proofpoint explained that the authors of these extensions had their credentials stolen, allowing the attacker to take over.
The attacks occurred primarily in July and August 2017, with the attackers getting the credentials through a phishing scheme, the report said. This means that victims were exposed to malicious popups and potential schemes for stealing their credentials as well.
According to the report, these eight extensions were likely compromised:
- Web Developer 0.4.9
- Chrometana 1.1.3
- Infinity New Tab 3.12.3
- CopyFish 2.8.5
- Web Paint 1.2.1
- Social Fixer 20.1.1
- Betternet VPN
One of the first indications of this attack surfaced on August 2, when developer Chris Pederick reported his Web Developer for Chrome extension had been hijacked, the report said. In a tweet, Pederick wrote that “The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded.”
After checking to make sure that the extension has been installed, it will retrieve a ga.js file that allows it to steal the host’s credentials and swap out legitimate ads for malicious ones. While they did substitute ads for a range of websites, many of the malicious ads represented adult sites, the Proofpoint report said.
“In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.” the report said.
However, Proofpoint did note that Cloudflare took immediate action to remove the malicious activity that was reported to them.
The 3 big takeaways for TechRepublic readers
- Attackers have hijacked eight Google Chrome extensions, using them to serve malicious ads and direct users to scam services.
- The attack also attempts to steal credentials to hosting services–in this case Cloudflare–so that they’ll be able to conduct future attacks.
- Users who have any of the affected extensions installed should uninstall them and be careful not to click on any ads that seem suspicious.