Google has removed over 500 malicious Chrome extensions from its official Web Store following a two-month long investigation by independent security researcher Jamila Kaya and Cisco’s Duo Security team.
The extensions, which have now been removed from the Web Store and deactivated in users’ browsers, injected malicious ads into users’ web browsing sessions. The malicious code injected by the extensions was set to activate under certain conditions and redirect users to specific sites.
While at times the extensions would lead users to legitimate sites such as Macy’s, Dell or BestBuy through affiliate links, they also led users to known malware download sites or phishing pages.
According to a new report from Cisco’s Duo Security team, the extensions were part of a larger malware operation that has been active for at least two years. However, the research team behind the report also believes the group behind this operation may have been active since the early 2010s.
Malicious Chrome extensions
The operation was discovered by Jamila Kaya who first found the malicious extensions while threat hunting when she noticed a common URL pattern in visits to malicious sites.
Kaya then used a service for analyzing Chrome extensions called CRXcavator that helped her locate the initial group of extensions which share a nearly identical codebase but used generic names to mask their true activity. She provided further insight on her discovery in an interview with ZDNet in which she said:
“Individually, I identified more than a dozen extensions that shared a pattern. Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator’s database and discover the entire network. We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions.”
According to Cisco Duo, the first set of extensions was installed by over 1.7m Chrome users. However, Google launched its own investigation and found even more extensions that fit the same pattern which led to the search giant banning over 500 extensions.
Google has removed the malicious Chrome extensions from its official Web Store as well as deactivated them inside users’ browsers to prevent even more users from falling victim to this malvertising scam.