Google has just recently removed four extensions from the Chrome Web Store after they were discovered to be malicious. The extensions, which already had over 500,000 downloads, were used to carry out click fraud and SEO manipulation.
The malicious extensions were discovered by researchers from ICEBRG, a Seattle-based internet security company when they investigated spikes in outbound traffic from a customer’s workstation. Upon verification, the researchers found that these outbound data transmissions were caused by a Google Chrome extension named HTTP Request Header. Apparently, the workstation was used to visit links that they suspected were advertising-related.
The same ICEBRG researchers went on to discover three more malicious extensions that basically did the same thing as the HTTP Request Header: Nyoogle, Stickies, and Lite Bookmarks. ICEBRG then notified Google of its findings and the malicious extensions were removed from the Chrome Web Store.
In the past, malicious browser extensions have been used to infect the workstations of unsuspecting Chrome users with spyware or even malware. At the moment, ICEBRG believes that the extensions they discovered may have been used to scam advertisers who pay on a per-click scheme by generating fake clicks using the infected workstations. However, it is likewise possible that the same malicious add-ons could be used to spy on anyone.
In a report published on Friday, ICEBRG explained the risk malicious extensions may pose to browser users. "In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks."
Of course, it is not the first time that Google’s extension has been used for cyber attacks. On July and August of 2017, still-unidentified hackers managed to compromise the accounts of Chrome extension developers which were then used to automatically install extension updates capable of placing ads to sites visited by users.[Featured image via YouTube]