Malware News Seven More Chrome Extensions Compromised

[LASER_oneXM]

The number of compromised Chrome browser extensions is growing beyond the initial Aug. 1 hijacking of the OCR add-on called Copyfish. Added to list are seven additional legitimate Chrome Extensions that attackers took over and used to manipulate internet traffic and web-based ads, according to researchers at Proofpoint.

A report released Monday shows an expanded list of compromised Chrome Extensions to include: Web Developer (0.4.9), Chrometana (1.1.3), Infinity New Tab (3.12.3), Web Paint (1.2.1), and Social Fixer (20.1.1). It also believes extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.

“This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft,” wrote Proofpoint on Monday.

In one example of malicious behavior, the compromised version of an extension attempts to substitute ads on the victim’s browser, hijack traffic from legitimate advertising networks and trick victims into “repairing” their computer. Proofpoint said that attackers singled out adult websites when substituting ads and focused on a particular unnamed ad network.

“In many cases, victims were presented with fake JavaScript alerts prompting them to ‘repair’ their PC then redirecting them to affiliate programs from which the threat actors could profit,” Proofpoint said. “(The) malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used.”