This month was not so successful to Chrome, as its extensions have suffered multiple attacks. The first attack, implemented on August 1, was related to the OCR add-on Copyfish (2.8.5). The Chrome users were unlucky as the attack only affected the Google Chrome extension, not doing any damage to other browser extensions. Over 30 000 users had their browsing disrupted by intrusive ads.
The sad thing is not all users might notice that something is suspiciously wrong. These days, people are used to huge amounts of ads when watching videos or simply reading news, so even a sharp increase might not cause them to perform any actions or report the situation.
To make matters worse, many more Chrome extensions were affected by various other cyber attacks. The main symptoms of an attack are an unusually high number of advertisements displayed and online traffic manipulation. It is not safe to use the extensions affected because of an increased level of cyber threats related to suspicious and illegal advertising.
The newly infected extensions include Chrometana (1.1.3), Web Developer (0.4.9), Social Fixer (20.1.1), Infinity New Tab (3.12.3), and Web Paint (1.2.1). Even Virtual Private Network (VPN) extensions weren’t left alone – it is believed that Chrome extensions Betternet VPN and TouchVPN had their security compromised in June.
The original Copyfish cyber-attack was implemented by deceiving its developers at A9t9 Software. An email was sent, stating that their extension was not suitable for the market anymore and will be eliminated unless it is updated.
There was a link attached, saying that more information will be given to those who click it. An unsuspecting developer followed the link and entered their Google Account password.
This was a grave mistake, as now the hackers had the password and could modify the code of the extension freely, as well as distribute the newly infected versions of the software online.
These kinds of phishing attacks are implemented similarly – developers are tricked by hackers to expose their Google Account credentials, which then are used to inject modified code into the extensions by accessing said accounts.
Then, a lot of malicious advertisements and dangerous pop-ups are implemented to redirect traffic and potentially infect users’ computers with malware, which can do a lot of damage on its own.
Luckily, Proofpoint (a cyber security leader), managed to solve the situation by removing the code that was maliciously injected. When the threatening code was analyzed, it was discovered that a remote file named ga.js was retrieved over HTTP. It was found out that the domain of the server where the code was retrieved from was generated by a domain generation algorithm.
This allowed the hackers to call additional scripts, and some of them stole the credentials of Cloudflare. In this way, Cloudflare was not able to protect the security anymore, and so the attackers could change all the ads.
The fact that Cloudflare credentials have been harvested multiple times, it is not a crazy idea to think that in the future we can expect some more similar cyber attacks.