Google removed over 500 malicious Chrome extensions that affected 1.7 million users
Google with security researchers removed over 500 malicious Chrome extensions which are expected to be part of a larger campaign.
Google has been removed over 500 malicious Chrome extensions from its Web Store. These Chrome extensions are said to have been part of a large malware operation and were active for two years.
Google worked with independent security researcher Jamila Kaya and Cisco's Duo Security to investigate and uncover the malicious Chrome extensions. Duo Security's Chrome extension security tool CRXcavator to identify copycat Chrome extensions that infected users by injecting malicious ads. Over 1.7 million users were found to be affected by these malicious Chrome extensions.
These extensions even managed to bypass the fraud detection of the Chrome Web Store. Further investigation revealed these infected Chrome extensions could have been part of a larger campaign to hack into users' browsers and extract data. How hackers managed to do this is through a popular technique called "malvertising". Hackers manage to utilise advertising cookies and redirects through which they control callbacks and bypass detection on the Chrome Web Store.
"Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation. Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment," Jamila Kaya and Jacob Rickerd explains in a blog post.
Another reason behind this is the nature of browser extensions which are known to have weak security and privacy.
"The Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store's fraud detection mechanisms," the security researchers further explained.
Although the Chrome extensions have been removed hackers could still target browser extensions. The security researchers advises users to check the browser extensions they user, to remove those unused and also to report any unknown ones.