The Google Chrome extensions hijacked are on the attack with a number of developers being attacked within a month.
Nearly two weeks ago, it was reported that unknown attackers could compromise the Chrome Web Store account of a team of developers and sequester the Copyfish extension and then modify it to distribute correspondence from spam users.
Just two days after the incident, some unknown attackers then gained another popular extension “Web Developer” and then deferred to inject the advertising directly into the web browser of more than 1 million users.
After Chris Pederick, the creator of the Chrome Web Developer ‘Extension’ that offers several development tools for its users, Proofpoint announced that its extension had been compromised, the security provider has analyzed the problem and found more add-ons in The Chrome store that had also been altered.
According to the latest report published by researchers on Monday Proofpoint, the extended list of deteriorated Chrome Extensions hijacked is as follows:
- Chrome tank (1.1.3)
- Infinity new card (3.12.3)
- CopyFish (2.8.5)
- Web Paint (1.2.1)
- Social Fixer (20.1.1)
Proofpoint Kafeine researcher also believes that the Chrome extensions TouchVPN and Betternet VPN have also been affected in the same way at the end of June.
In all of the cases described above, some unknown attackers were able to access the Google web developer account by sending phishing emails with malicious links to steal account credentials.
If the Copyfish extension, the attackers have also moved the entire length of one of its developer’s account, preventing the company to remove the infected software extension from the Chrome store even after the behavior of The extension committed.
“Threat actors continue to look for new ways to drive traffic to their affiliate programs and effectively overcome harmful advertising for users,” the researchers conclude. “In the cases described here, they’re compromised by leveraging Chrome extensions hijacked to trick traffic and replace ads on victims’ browsers.”
“In the cases described here, they’re compromised by leveraging Chrome extensions to trick traffic and replace ads on victims’ browsers.”
“Once they get the credential from developer email phishing campaigns can post malicious versions of legitimate extensions.”
At this point, it is unclear who is behind the Web extensions Chrome scams.
The best way to protect yourself against such attacks is always to suspect that uninvited documents sent by e-mail and phishing do not click on the links to those documents unless you have verified the source.
According to the researcher:
“In late July and early August, some Chrome extensions hijacked have been compromised after the credentials of their author’s Google account were stolen through a phishing scheme. This led to kidnapping traffic and all ‘exposure to Potentially harmful pop-up users and stolen credentials. “