In an investigation that began two months ago, independent security researcher Jamila Kaya found that hundreds of extensions were infecting browsers. She teamed with Cisco’s Duo Security team and escalated concerns to Google, which then removed the offending extensions from the store.
The details of the investigation
Kaya used Cisco’s Duo Security extension analyzer tool, CRXcavator, to find that extensions that appeared to be playing by Google’s rules were using advertising to redirect users to certain sites.
In some cases, users were directed to legitimate sites but with an affiliate link so the extensions could get credit for the page visit. In other more nefarious cases, users were sent to a page that infected them with malware or exposed them to a phishing scheme.
Researchers were able to confirm the bulk of these extensions had been operational since January 2019, but it also may be linked to a larger operation going back several years.
Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation. Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment.
The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms.
Google moved quickly to take down the offending extensions marked by Kaya, in addition to removing additional ones uncovered in its own investigation.
We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses. We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.
How can you protect yourself from extension attacks?
There’s not much you need to do to protect yourself from this particular attack: the offending extensions have been removed from the Chrome Web Store.
If you had any of these extensions installed, you’ll find that they no longer open immediately when you try to launch them. Instead, you’ll see a popup notifying you that the extension has been disabled and marked as malicious. You’ll have the option of reactivating the extension — after all, Google can’t uninstall things from your desktop.
That said, be aware that reactivating the extension will expose you to malicious advertising, phishing pages, and/or malware.