Chrome extensions

Six more developers have had their Chrome extensions hijacked in the past four months, according to new evidence surfaced yesterday by Proofpoint researcher Kafeine.

Earlier this month, we reported about the hijacking of two Chrome extensions named Copyfish and Web Developer. In both cases, attackers used phishing emails to fool developers into handing over login credentials for their Chrome developer accounts.

Six more Chrome extensions hijacked

Yesterday, after some clever sleuthing, security researcher Kafeine identified six more Chrome extensions that had been hijacked in the same manner. The list includes:

Adding up the total installs for all eight extensions, attackers managed to deliver their malicious code to nearly 4.8 million users.

In addition, Bleeping Computer also reported about several phishing attacks against the owner of two other Chrome extensions, and a email security alert sent by Google warning Chrome extension developers to be on the lookout for a spike in phishing attempts.

Google sent the email alert two weeks ago because, in all attacks, phishing was the first step of the hijacking process. This process continued when the attackers took over the extension's source code repository, added malicious code, repackaged the extension, and pushed out an update containing the malicious code.

Attackers focused on ad replacement, intrusive popups

While initially, analysis of this code was rough around the corners, we now have more details thanks to Kafeine's analysis of the malicious code found in some of the hijacked extensions.

According to the Proofpoint researcher, the malicious code added to these extensions was specially crafted to carry out the following operations:

— Wait at least ten minutes after the extension's installation/update
— Retrieve a JavaScript file from a random DGA-generated domain
— Harvest Cloudflare credentials from the user's browser
— Replace ads on legitimate sites with ads supplied by the hijacker
— Most replacements took place on adult portals and for 33 precise banner sizes
— Show a popup alerting users about an error and redirect them to a new website part of a traffic redirection affiliate program

Attackers active since at least June 2016

All of these actions netted attackers small profits. While the phishing and hijacking attacks took place starting with May 2017, Kafeine linked some of the infrastructure used in these complex operations to a malicious Chrome extension that was discovered to deliver malicious code via cookie consent scripts back in June 2016.

This shows that the actors behind these attacks are well-versed in the inner-workings of both Chrome extensions and the Chrome Web Store, and will most likely continue their operation, despite the public exposure in recent weeks.

While there is no definite proof linking all these Chrome extensions hijacks to the same group, this cannot be just mere coincidence, and there's a high probability that all of the above attacks have been carried out by the same group or individual.

According to Kafeine, more worrisome was the fact that the crooks collected Cloudflare credentials, which the researcher believes might provide attackers with new means and infrastructure for future attacks.