Threat Management, Malware, Network Security

Researchers: Malicious Chrome extensions infected 500K workstations

More than a half-million workstations at major global organizations were recently found infected with malicious Chrome web browser extensions that were likely used to commit click fraud and search engine optimization manipulation, according to researchers from network security analytics firm ICEBRG.

In a Jan. 15 blog post, members of the ICEBRG Security Research Team report finding four separate extensions, which could have also enabled attackers to access affected organizations' corporate networks and user information. The malicious extensions, named "Change HTTP Request Header," "Nyoogle - Custom Logo for Google," "LiteBookmarks," and "Stickies - Chrome's Post-it Notes," have been removed by Google from the Chrome Web Store, the researchers noted.

The malicious extensions were uncovered during an analysis of unusually highly outbound traffic flowing from a ICEBRG customer's workstation to a European virtual private server provider. Further analysis revealed that while the extensions don't contain any overtly malicious code, they do have two items that, when combined, enable the injection of arbitrary JavaScript code whenever the update server receives a permission request for retrieving JSON from an external source. The researchers observed that this malicious, obfuscated JavaScript even checks for native Chrome debugging tools to prevent detection and subsequent analysis by security professionals.

ICEBRG report that after successful injection, the malicious code next establishes a WebSocket tunnel with its command-and-control server so that it can proxy browsing traffic using the victim's browser in order to visit advertising-related domains, presumably for click-fraud purposes. "The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties," the blog post adds.

Although the report states that more than 500,000 users were collectively impacted, some of these victims may be non-unique. Regardless, "The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain," the report concludes. "The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.