Google has removed more than 500 Chrome extensions in response to a report from a security researcher, who found the browser plugins distributed through the Chrome Web Store facilitated ad fraud and data theft.
Using a free extension forensic analysis tool called CRXcavator, released last year by Cisco’s Duo Security, independent infosec bod Jamila Kaya spotted a set of similarly coded Chrome extensions “that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store,” said Kaya, and Jacob Rickerd, a security engineer at Duo, in a blog post this week.
We’re told “the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”
For the past two years or so, Google has been scrambling to revise the way Chrome extensions work because the APIs available to extension developers can be abused. The ad biz decided to limit its extension platform technically rather than commit the considerable resources that would be necessary to thoroughly review the code of extensions submitted to the Chrome Web Store and prevent developer misbehavior.
Its security-focused platform revision, referred to as Manifest v3, is presently underway. But Chrome extensions developed under the more liberal regime, Manifest v2, are still being written and distributed. And the Chrome Web Store remains woefully understaffed.
Kaya found several extensions offering advertising as a service – with names like MapsTrek Promotions, FreeWeatherApp Promos, and CouponRockstar Offers – and discovered they were part of a network of browser plugins that shared similar code. Using CRXcavator, she identified about 70 related extensions and presented her findings to Google and we understand they were removed last year.
Google then created a code fingerprint that led the company to find more than 500 bad extensions and subsequently remove them. About 1.7m Chrome users had these extensions installed.
It’s not clear whether any of the victims recognized they were under attack. The malicious extensions appear to have been designed to operate unobtrusively and generate ad revenue by redirecting the victim’s browser to a series of host sites – almost all hosted on AWS, the researchers claim – that serve a series of ads, both legitimate and illegitimate.
Yet these ads – billed to advertisers with the scammers getting some portion of the proceeds unless detected – may never have been viewed by actual people.
“A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy,” explain Kaya and Rickerd.
“What differentiates it as malvertising and ad fraud rather than legitimate advertising is the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing.”
“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said a Google spokesperson in an email, offering The Register a statement identical to the one the company provided in Duo Security’s blog post.
“We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”
Google’s spokesperson ignored other questions from The Register about whether law enforcement was notified, and whether the company has any further information about the individual or group behind the malicious extensions.
A spokesperson for Duo Security said it took two months from the time that Kaya identified the dubious extensions to the time when Google was notified, but declined to identify when specifically this occurred and referred further questions to Google.
Kaya and Rickerd provide few details about the person or group behind the malvertising campaign. It appears the responsible party has been active since at least January 2019 and may have been active further back based on domain registration dates in 2017. Certain code patterns point back further still to 2010.
One of the domain registration records cited contains an individual’s name, but the security researchers take no position about whether this individual is a real person actually associated with any of the registered domains supporting this malvertising operation.