Six more developers have had their Chrome extensions hijacked in the past four months, according to new evidence surfaced yesterday by Proofpoint researcher Kafeine.
Earlier this month, we reported about the hijacking of two Chrome extensions named Copyfish and Web Developer. In both cases, attackers used phishing emails to fool developers into handing over login credentials for their Chrome developer accounts.
Yesterday, after some clever sleuthing, security researcher Kafeine identified six more Chrome extensions that had been hijacked in the same manner. The list includes:
Adding up the total installs for all eight extensions, attackers managed to deliver their malicious code to nearly 4.8 million users.
In addition, Bleeping Computer also reported about several phishing attacks against the owner of two other Chrome extensions, and a email security alert sent by Google warning Chrome extension developers to be on the lookout for a spike in phishing attempts.
Google sent the email alert two weeks ago because, in all attacks, phishing was the first step of the hijacking process. This process continued when the attackers took over the extension's source code repository, added malicious code, repackaged the extension, and pushed out an update containing the malicious code.
While initially, analysis of this code was rough around the corners, we now have more details thanks to Kafeine's analysis of the malicious code found in some of the hijacked extensions.
According to the Proofpoint researcher, the malicious code added to these extensions was specially crafted to carry out the following operations:
All of these actions netted attackers small profits. While the phishing and hijacking attacks took place starting with May 2017, Kafeine linked some of the infrastructure used in these complex operations to a malicious Chrome extension that was discovered to deliver malicious code via cookie consent scripts back in June 2016.
This shows that the actors behind these attacks are well-versed in the inner-workings of both Chrome extensions and the Chrome Web Store, and will most likely continue their operation, despite the public exposure in recent weeks.
While there is no definite proof linking all these Chrome extensions hijacks to the same group, this cannot be just mere coincidence, and there's a high probability that all of the above attacks have been carried out by the same group or individual.
According to Kafeine, more worrisome was the fact that the crooks collected Cloudflare credentials, which the researcher believes might provide attackers with new means and infrastructure for future attacks.