Attacker goes on mass hijacking of Chrome extensions

Geronimo Vena
Agosto 17, 2017

Proofpoint researcher Kafeine has identified six compromised Chrome extensions that have been recently modified by an attacker after phishing a developer's Google Account credentials.

Last month it was reported that a Chrome extension, Copyfish, was compromised after its developer responded to a phishing email - with his Google password.

In June, TouchVPN and BetternetVPN were also compromised, Proofpoint researcher Kafeine said. "In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims' browsers".

Extensions that were examined included Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, CopyFish 2.8.5, Web Paint 1.2.1 and Social Fixer 20.1.1.

"At the end of July and beginning of August, several Chrome Extensions were compromised after their author's Google Account credentials were stolen via a phishing scheme", Proofpoint wrote.

"Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions", Proofpoint warned. Threat actors were able to lure the developer into a phishing attack which then compromised the account and distributed ads across websites.

The security firm's latest research reveals that the same attack vector has been used against other developer (s) too. These compromised extensions seem to have the goal of substituting ads on a victim's browser, hijacking traffic from legitimate ad networks.

At least one of the affiliate programs receiving the hijacked traffic promoted PCKeeper, a Windows-focused tool originally from ZeobitLLC, the maker of the MacKeeper security product that was the subject of a class action suit a few years ago over false security claims. While they did substitute ads for a range of websites, numerous alginate ads represented adult sites, the Proofpoint report said.

"In many cases, victims were presented with fake JavaScript alerts prompting them to fix their PC, then redirecting them to affiliate programs from which the threat actors could profit", notes Kafeine.

In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.

Altre relazioni OverNewsmagazine

Discuti questo articolo