- Jan 6, 2017
- 835
Click-fraud browser extensions pulled from Google’s Chrome Web Store.
In much the same way that smartphone apps help you personalize your device to your own specifications for productivity and enjoyment, browser extensions help you use the internet with your own key personalizations. These extensions are typically downloaded from the browser’s catalog of tools, and offer a wide variety of functions.
However, extensions are notorious for carrying some extra baggage, namely malicious code that often runs unnoticed by the user. Google Chrome is one such browser that has had problems in the past, and now, thanks to security researchers at ICEBRG, faces plenty more… 500,000 more, to be exact.
Malicious browser extensions enabled criminals to impact over 500k users and global businesses.
Anomalies spotted
After finding a strange increase in output from one computer they were monitoring, Justin Warner and Mario De Tore investigated the cause and found four Chrome extensions that contained the code. The extensions included Change HTTP Request Header, Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes.
It’s worth noting that, according to Warner and De Tore, “The Change HTTP Request Header extension itself does not contain any overtly malicious code. However, ICEBRG identified two items of concern that, when combined, enable the injection and execution of arbitrary JavaScript code via the extension.” That means the extension itself might not trigger any suspicious internal behaviors but when combined with other extensions, could pose a threat.
Hijacking users’ browsers
ICEBRG’s explanation of their findings is fairly technical, but at first glance, it seems that an external agent was hijacking users’ browsers in order to redirect to advertising sites to reap the benefits of a click fraud campaign. However, as Warner and De Tore explain, that is by far not the only capability with these compromised extensions.
“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC). The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.”
ICEBRG alerted the pertinent security agencies and Google itself, and Google has removed those extensions from the browser store.
In much the same way that smartphone apps help you personalize your device to your own specifications for productivity and enjoyment, browser extensions help you use the internet with your own key personalizations. These extensions are typically downloaded from the browser’s catalog of tools, and offer a wide variety of functions.
However, extensions are notorious for carrying some extra baggage, namely malicious code that often runs unnoticed by the user. Google Chrome is one such browser that has had problems in the past, and now, thanks to security researchers at ICEBRG, faces plenty more… 500,000 more, to be exact.
Malicious browser extensions enabled criminals to impact over 500k users and global businesses.
Anomalies spotted
After finding a strange increase in output from one computer they were monitoring, Justin Warner and Mario De Tore investigated the cause and found four Chrome extensions that contained the code. The extensions included Change HTTP Request Header, Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes.
It’s worth noting that, according to Warner and De Tore, “The Change HTTP Request Header extension itself does not contain any overtly malicious code. However, ICEBRG identified two items of concern that, when combined, enable the injection and execution of arbitrary JavaScript code via the extension.” That means the extension itself might not trigger any suspicious internal behaviors but when combined with other extensions, could pose a threat.
Hijacking users’ browsers
ICEBRG’s explanation of their findings is fairly technical, but at first glance, it seems that an external agent was hijacking users’ browsers in order to redirect to advertising sites to reap the benefits of a click fraud campaign. However, as Warner and De Tore explain, that is by far not the only capability with these compromised extensions.
“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC). The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.”
ICEBRG alerted the pertinent security agencies and Google itself, and Google has removed those extensions from the browser store.