Malicious Chrome web browser extensions have infected more than half-million computers worldwide. These extensions were likely used for click fraud and to manipulate search engine optimization, reports network security analytics firm ICEBRG.
Browser extensions often boost a user’s web experience, but they can also be dangerous to workstation security with their use of an arbitrary code. These extensions are often easy to install, and many people underestimate their power to wreak havoc. As a result, companies are vulnerable to attack.
According to ICEBRG: “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information. While revenues are not known, a similar botnet uncovered in 2013 yielded $6 million per month before it was taken down.”
The firm has identified four extensions that allowed hackers to access the affected group’s corporate networks and user information, reports SC Media. The extensions are named “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “LiteBookmarks,” and “Stickies – Chrome’s Post-it Notes.” Google has since removed these malicious extensions from the Chrome Web Store.
ICEBRG discovered the malicious extensions after noticing unusually high outbound traffic coming from a customer’s workstation in Europe.
The firm noted: “The Change HTTP Request Header extension itself does not contain any overtly malicious code. However, ICEBRG identified two items of concern that, when combined, enable the injection and execution of arbitrary JavaScript code via the extension.”
The malicious JavaScript actually searches for native Chrome debugging tools to avoid detection and discovery by security experts. Once the code inserts itself into the system it creates a WebSocket tunnel with its command-and-control server. This allows it to use the victim’s browser to visit specific websites, likely to carry out click fraud.
“The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties,” ICEBRG concluded. “The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain. The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets.”