Unfortunately, cyber criminals never stop their innovation. Now they have come up with a novel method to both poison Google's extension ecosystem, combined with social engineering tactics that lure users into installing malware-laden Chrome extensions. In this case, users were tricked into downloading an advertising-as-a-service extension ostensibly for their business. What they got was a malicious infection that made them part and parcel of a multi-faceted fraudulent, malicious malvertising, data exfiltration, redirection, and phishing scam.
Fortunately, an independent security researcher, Jamila Kaya, used a free tool developed and released by Cisco’s Duo Security called CRXcavator that lead to the discovery and purging of these 500 extensions on Google Chrome Web store.
This scheme used a sophisticated combination of malicious techniques including obfuscation (hiding from Google's detection by using sandboxing) the use of a command and control server (which acted as the brains issuing various types of instructions commanding infected browsers to visit a round robin of sites to accumulate fraudulent ad revenue. Some sites were benign, others malvertising, or phishing sites.
The command and control servers also gave orders for the stealing (exfiltration) of user private browsing data. The extensions gave themselves extensive permissions to access data. One domain found in the command and control server was even identified by the state of Missouri as a phishing site.
This is not the first time a huge crop of malicious extensions has been discovered and removed from the Google Chrome Store for behaving badly *after* millions of people had already downloaded them.
It's also a warning that social engineering tradecraft could become much more prevalent in browser extension fraud enticing users to download apps and extensions that are not what they say they are.
CRXcavator is an automated Chrome extension security assessment tool that's was provided free last year to identify and help remove malicious Chrome extensions.
According to Duo, "these extensions were commonly presented as offering advertising as a service. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.
Google was receptive and responsive to the report. Once the report was submitted, they worked to validate the findings and went on to fingerprint the extensions. This allowed Google to search the entire Chrome Web Store corpus to discover and remove more than 500 related extensions."
This is a good reminder that things are not always as they seem to be. Continue your process of creating a security culture and promote whenever possible an extra bit of skepticism. Stepping your executives through New-school Security Awareness Training is highly recommended. We have a special Executive Series which are each less than 5 minutes, check them out with a free demo of the ModStore.