Six more Chrome Extensions developers discovered that their account had been broken in the last four months, according to new findings yesterday from its security researcher Proofpoint, Caffeine.
Earlier this month, we mentioned about it hijack another expansion of Chrome (Copyfish). As seen in all cases, the attackers used "phishing" emails to trick developers into giving them credentials to Chrome developer accounts.
Kafeine Security Investigator identified six extra Chrome extensions that were occupied in the same way.
The list includes:
Web Paint one [source] Social Fixer one [source] TouchVPN
Betternet VPN
If you now add the total installations from the eight extensions, you will see that the attackers managed to deliver their malicious code to approximately 4,8 million users.
Google, on the other hand, has reportedly warned Chrome extension developers to be very wary of phishing efforts.
Google sent one warning two weeks ago, because in all the above attacks the electronic fishing was the first step of the process.
Security investigator Kafeine analyzed the malicious code he found in some of the extensions and discovered that it was designed to perform the following functions:
- Αναμονή τουλάχιστον δέκα λεπτά μετά την εγκατάσταση- ενημέρωση της extensionς
- Retrieve a file JavaScript from a random DGA-generated domain
- Collection of certification aggregates from the program browsing of the user
- Replace ads with ads provided by the malicious user
- Most ad replacements come from adult portals
- View a pop-up alert notifying you of an error and redirecting to other sites for more traffic
The phishing attacks, according to the researcher, took place in May 2017, and seem to be related to the infrastructure used in another malicious extension of Chrome, which was discovered in June 2016.
This shows that the malicious users behind these attacks are well-versed in the Chrome and Chrome Web Store extensions and will probably continue their attacks.