Malicious Chrome extensions infected 500k workstations: researchers

By on
Malicious Chrome extensions infected 500k workstations: researchers

More than a half-million workstations at major global organisations were recently found infected with malicious Chrome web browser extensions that were likely used to commit click fraud and search engine optimization manipulation, according to researchers from network security analytics firm ICEBRG.

In a 15 January blog post, members of the ICEBRG Security Research Team report finding four separate extensions, which could have also enabled attackers to access affected organisations' corporate networks and user information.

The malicious extensions, named "Change HTTP Request Header," "Nyoogle - Custom Logo for Google," "LiteBookmarks," and "Stickies - Chrome's Post-it Notes," have been removed by Google from the Chrome Web Store, the researchers noted.

The malicious extensions were uncovered during an analysis of unusually highly outbound traffic flowing from an ICEBRG customer's workstation to a European virtual private server provider.

Further analysis revealed that while the extensions don't contain any overtly malicious code, they do have two items that, when combined, enable the injection of arbitrary JavaScript code whenever the update server receives a permission request for retrieving JSON from an external source.

The researchers observed that this malicious, obfuscated JavaScript even checks for native Chrome debugging tools to prevent detection and subsequent analysis by security professionals.

ICEBRG report that after successful injection, the malicious code next establishes a WebSocket tunnel with its command-and-control server so that it can proxy browsing traffic using the victim's browser in order to visit advertising-related domains, presumably for click-fraud purposes.

"The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties," the blog post adds.

"The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain," the report concludes.

"The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets."

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register


Will 5G disrupt the NBN?
Yes - Optus' 5G home broadband service is a winner
Yes - Everyone is mobile these days
No - The NBN may be imperfect, but 5G will be mostly mobile
Not yet - Give it a year or two for proper services and products to emerge and settle down
View poll archive

Log In

Username / Email:
  |  Forgot your password?