Cyber Attack w

Published on August 17th, 2017 | Post Views: 2,434  HitsPost Views

0

Warning: These 8 Google Chrome extensions have been hijacked by a hacker

According to recent Proofpoint research, eight extensions for the Google Chrome web browser have been compromised by attackers, sending malicious ads to the affected users. In a report, Proofpoint explained that the authors of these extensions had their credentials stolen, allowing the attacker to take over.

The attacks occurred primarily in July and August 2017, with the attackers getting the credentials through a phishing scheme, the report said. This means that victims were exposed to malicious popups and potential schemes for stealing their credentials as well.

According to the report, these eight extensions were likely compromised:

  1. Web Developer 0.4.9
  2. Chrometana 1.1.3
  3. Infinity New Tab 3.12.3
  4. CopyFish 2.8.5
  5. Web Paint 1.2.1
  6. Social Fixer 20.1.1
  7. TouchVPN
  8. Betternet VPN

One of the first indications of this attack surfaced on August 2, when developer Chris Pederick reported his Web Developer for Chrome extension had been hijacked, the report said. In a tweet, Pederick wrote that "The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded."

After checking to make sure that the extension has been installed, it will retrieve a ga.js file that allows it to steal the host's credentials and swap out legitimate ads for malicious ones. While they did substitute ads for a range of websites, many of the alginate ads represented adult sites, the Proofpoint report said.

▼Advertisements

Additionally, fake JavaScript alerts and banner ads also attempted to convince users that their PC was infected with a virus or in need of some sort of repair, the report said. These types of ads are typically used to redirect users to another program that aims to profit off of users paying for these repair or antivirus services that they never receive. But, that's not all.

"In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks." the report said.

However, Proofpoint did note that Cloudflare took immediate action to remove the malicious activity that was reported to them.












Leave a Reply

Back to Top ↑