500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users

Google removed 500 malicious Chrome extensions from its Web
Store after they found to inject malicious ads and siphon off user
browsing data to servers under the control of attackers.

These extensions were part of a malvertising and ad-fraud
campaign that’s been operating at least since January 2019,
although evidence points out the possibility that the actor behind
the scheme may have been active since 2017.

The findings come as part of a joint
investigation by security researcher Jamila Kaya and
Cisco-owned Duo Security, which unearthed 70 Chrome Extensions with
over 1.7 million installations.
^[1]

Upon sharing the discovery privately with Google, the company went
on to identify 430 more problematic browser extensions, all of
which have since been deactivated.

“The prominence of malvertising as an attack vector will
continue to rise as long as tracking-based advertising remains
ubiquitous, and particularly if users remain underserved by
protection mechanisms,” said Kaya and Duo Security’s Jacob Rickerd
in the report.

A Well-Concealed Malvertising Campaign

Using Duo Security’s Chrome extension security assessment tool —
called CRXcavator — the
researchers were able to ascertain that the browser plugins
operated by surreptitiously connecting the browser clients to an
attacker-controlled command-and-control (C2) server that made it
possible to exfiltrate private browsing data without the users’
knowledge.

The extensions, which functioned under the guise of promotions
and advertising services, had near-identical source code but
differed in the names of the functions, thereby evading Chrome Web
Store detection mechanisms.

In addition to requesting extensive permissions that granted the
plugins access
to clipboard and all the cookies stored locally in the browser,
they periodically connected to a domain that shared the same name
as the plugin (e.g., Mapstrekcom, ArcadeYumcom) to check for
instructions on getting themselves uninstalled from the
browser.
Upon making initial contact with the site, the plugins subsequently
established contact with a hard-coded C2 domain — e.g., DTSINCEcom
— to await further commands, the locations to upload user data, and
receive updated lists of malicious ads and redirect domains, which
subsequently redirected users’ browsing sessions to a mix of
legitimate and phishing sites.

“A large portion of these are benign ad streams, leading to ads
such as Macy’s, Dell, or Best Buy,” the report found. “Some of
these ads could be considered legitimate; however, 60 to 70 percent
of the time a redirect occurs, the ad streams reference a malicious
site.”

Beware of Data-Stealing Browser Extensions

This is not the first time data-stealing extensions have been
discovered on the Chrome browser. Last July, security researcher
Sam Jadali and The Washington
Post uncovered a massive data leak called DataSpii (pronounced
data-spy) perpetrated by shady Chrome and Firefox extensions
installed on as many four million users’ browsers.

These add-ons collected browsing activity — including personally
identifiable information — and shared it with an unnamed
third-party data broker that passed it on to an analytics firm
called Nacho Analytics (now shut down), which then sold the
collected data to its subscription members in near real-time.

In response, Google began
requiring extensions^[7]
to only request access to the “least amount of
data^[8]” starting October 15,
2019, banning any extensions that don’t have a privacy policy and
gather data on users’ browsing habits.

For now, the same rule of caution applies: review your extension
permissions, consider uninstalling extensions you rarely use or
switch to other software alternatives that don’t require invasive
access to your browser activity.

^{[2][3][4][5][6]}