A brand new way in which attackers are making money is by phishing developers so their Chrome extensions get compromised and made to spread affiliate program ads that scare its victims to pay for repairs of their PCs.
Six compromised Chrome extensions have been identified by Kafeine, a Proofpoint researcher. The extensions have been recently modified by an attacker after phishing a developer’s Google Account credentials.
The compromised extensions are the following: Chrometana 1.1.3, CopyFish 2.8.5, Web Developer 0.4.9, Infinity New Tab 3.12.3, Web Paint 1.2.1, and Social Fixer 20.1.1. The extensions were compromised in the time period between late July and early August, and the researcher that discovered them believes TouchVPN and Betternet VPN were also comprised in late June with the same technique.
It is believed that the intention of the attacks on these developers was to redirect Chrome users to affiliate programs and swap legit ads with malicious ones, all to gain money for the attacker through referrals.
It has also become known that the attackers have credentials of users of CloudFlare, which is an availability service for website operators, and are probably being stored to be used in future attacks.
These extensions that have been modified were coded mostly so they replace banner adds on adult websites, as well as other sites, and steal traffic from legit ad networks.
As far as the phishing emails go, the ones that compromised the developers’ Google accounts, they seemed to come from Google’s Chrome Web Store team, and they claimed that the developer’s extension didn’t comply with its policies and in case the issue was fixed, it would be removed.
According to Bleeping Computer, Google’s security team warned the Chrome extension developers of these phishing attacks in an email. Apparently, the attackers had created a convincing copy of Google’s real account login page.
Unfortunately, this wasn’t the first case of Chrome extension being targets for spreading adware and promoting affiliate networks. Back in 2014, adware firms bought several popular Chrome extensions from legitimate developers, which up to that point had maintained trustworthy products.