Google Warns Chrome Browser Users NOT To Activate Any Of These 500 Extensions

Google Warns Chrome Browser Users NOT To Activate Any Of These 500 Extensions

Google has warned Chrome users to not activate over 500 extensions due to fraudulent transactions targeted at users. On January 20, it was reported how Google had confirmed a publication or update of all paid-for extensions in the Chrome Web Store had been temporarily suspended.

The reason was cited as being a significant increase in the number of fraudulent transactions attempting to defraud users. Things have just got a lot worse, or a lot better, depending on whether you’re a glass-half-empty or half-full person: a total of 500 Chrome web browser extensions have been identified, and deactivated, that were stealthily uploading user data.

Researchers say the malicious campaign executed by these 500 Chrome extensions was operational since at least January 2019 but could date back as far as 2017.

Digging into Chrome web browser extension fraud

The fraud campaign was unearthed in a joint operation between Cisco’s Duo Security team and an independent security researcher, Jamila Kaya. They initially discovered that 70 Chrome web browser extensions, which had been installed by at least 1.7 million users, were obfuscating malicious advertising functionality from those unknowing users. Using a scam methodology that involved redirecting the browser to a whole bunch of domains, and then onto one of a number of malicious control servers to direct the fraud itself. This involved providing different locations to which private user browsing data should be uploaded and lists of advertisements to be fed to the browser.

According to the report, authored jointly by Jamila Kaya and Duo Security information security engineer Jacob Rickerd, this primary malicious behavior resulted in users regularly getting fed new redirector domains leading to both “benign” and illegitimate advertising streams. Even though most of the ad streams fed to those users who had installed any of these Chrome web browser extensions were from “genuine” advertisers, the researchers said that what differentiated them as being malvertising ad fraud was “the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing.”

Google responds quickly to mitigate against the threat from these malicious Chrome extensions

Once the researchers had reported their findings to Google, things escalated somewhat. The Google security team went on to identify an additional 430 Chrome web browser extensions involved. These, along with the original 70 extensions, were then removed from the Google Chrome Web Store. This is to be expected, as Google has proven to be taking a very proactive stance when it comes to matters of security.

A Google spokesperson said that “when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.” The spokesperson also told the Duo Security researchers that Google executes “regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”

Do NOT reactivate any of these extensions

About Author

BillionBill

See author's posts