Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Eight Chrome Extensions Hijacked to Deliver Malicious Code
#1
Six more developers have had their Chrome extensions hijacked in the past four months, according to new evidence surfaced yesterday by Proofpoint researcher Kafeine.
Earlier this month, we reported about the hijacking of two Chrome extensions named Copyfish and Web Developer. In both cases, attackers used phishing emails to fool developers into handing over login credentials for their Chrome developer accounts.
Six more Chrome extensions hijacked
Yesterday, after some clever sleuthing, security researcher Kafeine identified six more Chrome extensions that had been hijacked in the same manner. The list includes:
Chrometana 1.1.3 [source]
Infinity New Tab 3.12.3
Web Paint 1.2.1 [source]
Social Fixer 20.1.1 [source]
TouchVPN
Betternet VPN
Adding up the total installs for all eight extensions, attackers managed to deliver their malicious code to nearly 4.8 million users.
In addition, Bleeping Computer also reported about several phishing attacks against the owner of two other Chrome extensions, and a email security alert sent by Google warning Chrome extension developers to be on the lookout for a spike in phishing attempts.
Google sent the email alert two weeks ago because, in all attacks, phishing was the first step of the hijacking process. This process continued when the attackers took over the extension's source code repository, added malicious code, repackaged the extension, and pushed out an update containing the malicious code.
Attackers focused on ad replacement, intrusive popups
While initially, analysis of this code was rough around the corners, we now have more details thanks to Kafeine's analysis of the malicious code found in some of the hijacked extensions.
According to the Proofpoint researcher, the malicious code added to these extensions was specially crafted to carry out the following operations:
— Wait at least ten minutes after the extension's installation/update
— Retrieve a JavaScript file from a random DGA-generated domain
— Harvest Cloudflare credentials from the user's browser
— Replace ads on legitimate sites with ads supplied by the hijacker
— Most replacements took place on adult portals and for 33 precise banner sizes
— Show a popup alerting users about an error and redirect them to a new website part of a traffic redirection affiliate program
Attackers active since at least June 2016
All of these actions netted attackers small profits. While the phishing and hijacking attacks took place starting with May 2017, Kafeine linked some of the infrastructure used in these complex operations to a malicious Chrome extension that was discovered to deliver malicious code via cookie consent scripts back in June 2016.
This shows that the actors behind these attacks are well-versed in the inner-workings of both Chrome extensions and the Chrome Web Store, and will most likely continue their operation, despite the public exposure in recent weeks.
While there is no definite proof linking all these Chrome extensions hijacks to the same group, this cannot be just mere coincidence, and there's a high probability that all of the above attacks have been carried out by the same group or individual.
According to Kafeine, more worrisome was the fact that the crooks collected Cloudflare credentials, which the researcher believes might provide attackers with new means and infrastructure for future attacks.

Read here
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New Attack Uses Fake Icon To Deliver Trojan Bjyda 0 937 03-13-2021 , 09:47 PM
Last Post: Bjyda
  Cloud apps are increasingly being used to deliver malware Bjyda 0 3,594 02-24-2021 , 11:38 PM
Last Post: Bjyda
  Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests mrtrout 0 1,195 02-04-2021 , 10:57 PM
Last Post: mrtrout
  Nintendo accounts are getting hijacked sidemoon 0 1,166 04-21-2020 , 10:09 AM
Last Post: sidemoon
  WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites sidemoon 0 1,370 03-13-2020 , 10:00 PM
Last Post: sidemoon

Forum Jump:


Users browsing this thread: 1 Guest(s)