Chrome Extensions Found Compromised, Spreading Adware

Chrome Extensions Found Compromised, Spreading Adware

A brand new way in which attackers are making money is by phishing developers so their Chrome extensions get compromised and made to spread affiliate program ads that scare its victims to pay for repairs of their PCs.

Six compromised Chrome extensions have been identified by Kafeine, a Proofpoint researcher. The extensions have been recently modified by an attacker after phishing a developer’s Google Account credentials.

The compromised extensions are the following: Chrometana 1.1.3, CopyFish 2.8.5, Web Developer 0.4.9, Infinity New Tab 3.12.3, Web Paint 1.2.1, and Social Fixer 20.1.1. The extensions were compromised in the time period between late July and early August, and the researcher that discovered them believes TouchVPN and Betternet VPN were also comprised in late June with the same technique.

It is believed that the intention of the attacks on these developers was to redirect Chrome users to affiliate programs and swap legit ads with malicious ones, all to gain money for the attacker through referrals.

It has also become known that the attackers have credentials of users of CloudFlare, which is an availability service for website operators, and are probably being stored to be used in future attacks.

These extensions that have been modified were coded mostly so they replace banner adds on adult websites, as well as other sites, and steal traffic from legit ad networks.

Kafeine said that the most common case was that a victim was presented with a fake JavaScript alert that would tell them to repair their PC, and then redirect the victim to an affiliate program from which the attacker profits.

As far as we know, at least one of the affiliate programs promoted PCKeeper which has been under a class action suit a few years ago with false security claims.

One part of the JavaScript in the extension that was compromised would also download a file that was served by Cloudflare containing code with a script created to obtain Cloudflare user credentials after login. Cloudflare stopped serving the file after it was alerted to the issue by Proofpoint.

As far as the phishing emails go, the ones that compromised the developers’ Google accounts, they seemed to come from Google’s Chrome Web Store team, and they claimed that the developer’s extension didn’t comply with its policies and in case the issue was fixed, it would be removed.

According to Bleeping Computer, Google’s security team warned the Chrome extension developers of these phishing attacks in an email. Apparently, the attackers had created a convincing copy of Google’s real account login page.

Unfortunately, this wasn’t the first case of Chrome extension being targets for spreading adware and promoting affiliate networks. Back in 2014, adware firms bought several popular Chrome extensions from legitimate developers, which up to that point had maintained trustworthy products.