Wednesday, 13 September 2017

Cyber Criminals Hijack Chrome Extensions and Put 4.7 Million Users at Risk

Developer Accounts of Popular Chrome Extensions Being Hijacked by Cyber Criminals, over 4.7 Million Users Are at a Risk of Cyber Attack

By Stuart Peck, Head of Cyber Security Strategy and Contributor on

Over 4.7 million users could be at risk after being exposed to malicious adverts and credentials theft due to developer accounts of popular chrome extensions being hijacked by cyber criminals.

A phishing campaign run by Cyber Criminals in July that targeted chrome extension developers, with the purpose of harvesting their Google account credentials, has led to 8 very popular chrome extensions being compromised.

“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s  Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.” reported the analysis of the security firm Proofpoint.

Figure 1 – example of phishing email- source Proofpoint

Using the compromised developer accounts, the threat actors were able to inject code in to the legitimate extensions that would serve its users substituted adverts to adult websites, windows repair scams, and in some cases credentials harvesting. Research conducted by Proofpoint reported that the affected extensions include:
  • Web Developer- 1,044,016 users
  • Chrometana- 597, 577 users
  • Infinity New Tab- 476, 803 users
  • CopyFish- 37,397 uses
  • Web Paint- 53,930 users
  • Social Fixer- 182, 083 users
  • TouchVPN- 1,031,690 users
  • Betternet VPN- 1, 334,517 users
Some of the tactics used by the threat actors were to check whether the Chrome Extension had been installed for 10 minutes – commonly thought to bypass detection.

if (( – installed) > 10 * 60 * 1000)

This check was made before proceeding with the rest of the extension code which resulted in retrieving a remote file “ga.js” from a server which the domain is generated via DGA (Domain Generation Algorithm), this call is made over HTTPS.

One of the objectives of compromised version of the extension was to attempt to substitute legitimate adverts on the victim’s browser, hijacking traffic from legitimate advertising networks and replacing with services (usually adult in nature), that the threat actors would profit from.

“While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites” continues Proofpoint.

The adverts worked for a specific set of 33 banner sizes shown in the code snippet from 973820_BNX.js?rev=133 below:

Figure 2 Banner size for substituted malicious adverts source Proofpoint

Also, it was noted in the research conducted by Proofpoint concluded that similar pop up alerts known to be associated with the compromise of Infinity New Tab extension in May and fake EU cookie-consent alert last year were also found in this campaign.

In summary, attackers are increasingly targeting developers through a phishing email, as a way to gain access to a large user base to quickly generate traffic to their affiliate schemes or gather credentials than can be later harvested for profit.

This is a worrying trend and developers need to be more aware of the increased risks, it was only 6 months ago when researchers discovered that attackers were targeting developers of Github repositories to gain access to fintech or high tech companies.

The tactics on display in this particular campaign are not necessarily new but demonstrate the potential widespread impact of the phishing emails, but a question that hasn’t really been answered is why didn’t the developers have 2FA for their Google developer accounts?

No comments:

Post a Comment