For example, you can search and navigate from the same box and arrange tabs however you wish - quickly and easily. Chrome's browser window is streamlined, clean and simple. It's quick to start up from your desktop, loads web pages in a snap, and runs complex web applications lightning fast. Chrome is designed to be fast in every possible way. When Google banned the extensions from the official Web Store, it also deactivated them inside every user's browser, while also marking the extension as "malicious" so users would know to remove it and not reactivate it.Chrome is a fast, simple, and secure web browser, built for the modern web. "While the redirects were incredibly noisy from the network side, no interviewed users reported too obtrusive of redirects," Kaya told ZDNet.Ī list of extension IDs that were part of this scheme are listed in the Duo report. However, in the current state of the internet where many websites use similar advertising schemes with aggresive ads and redirects, many users didn't even bat an eye. What stood out about this scheme was the use of "redirects" that often hijacked users away from their intended web destinations in a very noisy and abrasive manner that was hard to ignore or go unnoticed. In all cases, the extensions try to be as non-intrusive as possible, so not to alert users of a possible infection. Typically, these extensions usually engage in injecting legitimate ads inside a user's browsing session, with the extension operators earning revenue from showing ads. Networks of malicious Chrome extensions have been unearthed in the past. Extensions disabled in users' Chrome installs It is unclear how many users had installed the 500+ malicious extensions, but the number is more than likely to be in the millions range. "We subsequently reached out to Google with our findings, who were receptive and collaborative in eliminating the extensions," Kaya told ZDNet.Īfter its own investigation, Google found even more extensions that fit the same pattern, and banned more than 500 extensions, in total.
"Upon contacting Duo, we were able to quickly fingerprint them using CRXcavator's database and discover the entire network."Īccording to Duo, these first series of extensions had a total install count of more than 1.7 million Chrome users. "Individually, I identified more than a dozen extensions that shared a pattern," Kaya told us.
Leveraging CRXcavator, a service for analyzing Chrome extensions, Kaya discovered an initial cluster of extensions that run on top of a nearly identical codebase, but used various generic names, with little information about their true purpose. The researcher told ZDNet in an interview that she discovered the malicious extensions during routine threat hunting when she noticed visits to malicious sites that had a common URL pattern. Responsible for unearthing this operation is Kaya. Millions of users believed to be impacted The research team also believes the group who orchestrated this operation might have been active since the early 2010s.
In some cases, the destination would be an affiliate link on legitimate sites like Macys, Dell, or BestBuy but in other instances, the destination link would be something malicious, such as a malware download site or a phishing page.Īccording to a report published today and shared with ZDNet, the extensions were part of a larger malware operation that's been active for at least two years.
The malicious code injected by the extensions activated under certain conditions and redirected users to specific sites. The removed extensions operated by injecting malicious ads (malvertising) inside users' browsing sessions. Google has removed more than 500 malicious Chrome extensions from its official Web Store following a two-months long investigation conducted by security researcher Jamila Kaya and Cisco's Duo Security team.