Published On: Wed, Aug 16th, 2017

Attackers Go on a “Chrome Extension Hijacking Spree” – Several More Compromised

Last month it was reported that a Chrome extension, Copyfish, was compromised after a developer responded to a phishing email – with his Google password. While it might have seemed like a one-off case, researchers have now suggested that during slightest 8 some-more Chrome extensions are no longer protected to use after someone stole a author’s Google Account certification around a phishing scheme. This has in spin put a users of those extensions during risk of trade hijacking and intensity burglary of credentials.

Security experts during Proofpoint expelled their research, confirming a list of compromised Chrome extensions:

microsoft-phishing-scamRelated Criminals Are Targeting Users in US, UK, and Australia With Evolved Phishing Scams

We privately examined a “Web Developer 0.4.9” prolongation compromise, though found justification that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12]  were mutated regulating a same modus operandi by a same actor. We trust that a Chrome Extensions TouchVPN and Betternet VPN were also compromised in a same approach during a finish of June.

Criminal hackers and spammers continue to demeanour for new ways to expostulate trade to associate programs and offer antagonistic advertisements to their users. In this new box that was initial reported final month, researchers remarkable that enemy are now leveraging Chrome extensions to steal traffic and surrogate advertisements on victims’ browsers.

“At a finish of Jul and commencement of August, several Chrome Extensions were compromised after their author’s Google Account certification were stolen around a phishing scheme,” Proofpoint wrote. “Once they obtain developer certification by emailed phishing campaigns, they can tell antagonistic versions of legitimate extensions.”

Proofpoint has not identified any developers solely for Chris Pederick who is a author of a Web Developer Chrome prolongation and had tweeted about a concede of his prolongation progressing this month, that indeed sparked this research.

Chrome prolongation developers seem to be on cybercriminals’ strike list right now

The confidence firm’s latest investigate reveals that a same conflict matrix has been used opposite other developer(s) too. These compromised extensions seem to have a idea of substituting ads on a victim’s browser, hijacking trade from legitimate ad networks. They also try to pretence users into clicking on “repair” programs that route them to associate programs from that a hazard actors could distinction from.

google-phishing-featuresRelated Google Strengthens Security to Protect You From Phishing Attacks

In further to hijacking trade and pushing users to controversial associate programs, we have also celebrated them entertainment and exfiltrating Cloudflare credentials, providing a actors with new means of intensity destiny attacks.

While a enemy did this on a series of websites, they focused many on adult websites with delicately crafted substitutions.

The initial box of enemy regulating Chrome extensions for their scams was reported in Jul when an A9t9 developer behind a Copyfish prolongation fell for a phishing email purportedly sent from Google. “The detrimental group member entered a cue for a developer account,” A9t9 Software had pronounced in response. Since afterwards a association has worked with Google to get behind full control of their extension.

A9t9 had created during a time that “phishing for Chrome extensions was simply not on a radar screen,” that is how they abandoned some “clear giveaways.” With Proofpoint’s latest revelations, it appears that many some-more developers will have to privately persevere their appetite on not falling for phishing attacks.

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>