Malicious Chrome extensions

Security researchers from US cyber-security firm ICEBRG have spotted four Chrome extensions featuring malicious code that were available through the official Chrome Web Store.

According to researchers, the four Chrome extensions were designed to allow attackers to send malicious commands to users' browsers in the form of JavaScript code, but attackers only used this ability to perform click fraud by loading a site in the background and clicking on ads.

The names of the four extensions are Change HTTP Request Header (ppmibgfeefcglejjlpeihfdimbkfbbnm), Nyoogle - Custom Logo for Google (ginfoagmgomhccdaclfbbbhfjgmphkph), Lite Bookmarks (mpneoicaochhlckfkackiigepakdgapj), and Stickies - Chrome's Post-it Notes (djffibmpaakodnbmcdemmmjmeolcmbae).

Of the four, Nyoogle is still available on the Chrome Web Store at the time of writing.

In total, over 500,000 users were using the extensions when ICEBRG detected the malicious behavior and notified the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and the Google Safe Browsing Operations team.

While three of the four extensions were removed from the Chrome Web Store, many users still have the extensions loaded in their browsers.

The company has published a detailed report on the extensions' malicious behavior in the hopes that users will take the time to check their browser and remove the malicious extensions for their computers.

It is unclear if the same group is behind all four extensions, but ICEBRG said the four extensions featured similar tactics, techniques, and procedures (TTPs).

Related Articles:

Malwarebytes Browser Extension Blocks Malware, Scams, Ads, & Trackers

Google Removes Real Ethereum Wallet From Web Store but Leaves Fake One Alone

Google's Removing the file:// Scheme from Chrome's Address Bar

Chrome 69 Shows the WWW & M Subdomains Again, but It’s Only Temporary

Chrome 69 for iOS Moved Navigation Bar to Bottom of Screen & Users are Unhappy