Not one, not two, but thirty Chrome extensions with a total of 1 million installs were found to be promoting malicious ads
Researchers from Guardio Labs discovered a new malicious ad campaign, where through Google Chrome extensions they hijack your searches and insert their own affiliate links on the websites you visit.
All of these extensions basically offer Chrome color customization options, and they come to the victim's machine without any malware code, to avoid detection. Analysts called the campaign “Dormant Colors”.
According to the Guardio Labs report, by mid-October 2022, 30 variants of the browser extensions were available in both the Chrome and Edge web stores, amassing over one million installations.
The infection starts with ads or redirects when you visit websites that offer videos or downloads. Additionally, when you try to download the file or watch the video, you are redirected to another website stating that you need to install an extension to continue, as shown below.
When the visitor clicks on button "OK" or "Continue", then it is prompted to install a harmless-looking color-changing extension.
However, when these extensions are first installed, they will redirect users to various pages with malicious scripts that in turn instruct the extension on how to perform the attack and on which sites to insert their affiliate links.
Once their affiliate links are appended to the URL, any purchase made on the site will generate a commission for the malicious developers.
Researchers warn that by using the same stealthy malicious code-loading technique, Dormant Colors' operators could potentially achieve more sinister things than simply serving ads. They could redirect victims to pages Phishing to steal credentials for the websites you visit, including banking websites.
The malicious extensions have already been removed from the Chrome and Edge stores, but researchers warn that the campaign is constantly being renewed with new extension names.