Two weeks ago, attackers managed to hack the developer accounts for two very common Chrome extensions (Copyfish and Web Developer). The hack was very simple, when the developer entered the link, he was redirected to a fake copy of the Google account login page, where the developer entered the login details of the developer account.
Kafeine (researchers at Proofpoint) discovered that six more Chrome extensions had been hijacked in the same way. The list includes:
– Chrometana 1.1.3 [source]
– Infinity New Tab 3.12.3
– Web Paint 1.2.1 [source]
– Social Fixer 20.1.1 [source]
– TouchVPN
– Betternet VPN
According to the researcher:
“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.”
After getting access to the hacked accounts, the attackers will change the extensions to execute malicious tasks, or they add malicious Javascript code to them in a try to hijack traffic and force a malicious update that load ads on top of web pages in order to make income.
“Threat actors continue to look for new ways to drive traffic to affiliate programs and effectively surface malicious advertisements to users,” researchers concluded. “In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.”