
About eight Chrome browser extensions were compromised in the last 3months and the attacker used them to steal Cloudflare credentials and serve up malicious ads.
Always stay protected, don`t open emails that has dodgy links or proof of payments that you don`t know
In June, July and August, developers of the following Chrome extensions had their login credentials stolen through a phishing attack. The extensions affected are:
- Web Developer – Versions 0.4.9 affected
- Chrometana – Version 1.1.3 affected
- Infinity New Tab – Version 3.12.3 affected
- CopyFish – Version 2.8.5 affected
- Web Paint – Version 1.2.1 affected
- Social Fixer 20.1.1 affected
- TouchVPN appears to have been affected but the version is unclear
- Betternet VPN also appears to have been affected but no version was provided
The link in the email used the bit.ly URL shortener to redirect the developer to a fake login page which harvested their credentials and allowed the malicious actor to take control of the chrome extension developer’s account. Attackers had access to modify the code in these Chrome extensions and release new code, they made a change that injected their own malicious Javascript into the extensions. The new code looked like this:
In addition to stealing Cloudflare credentials, the attackers engaged in ‘malvertising’. The malicious Chrome extension code served up ads belonging to the attacker.
They did this by hijacking ads from well known ad networks and replacing those ads with their own ads. Most of the substitutions occurred for ads being served from adult websites.
Many of the ads were a fake alert telling the browser owner they need to repair their PC. They were then redirected to an affiliate program which the attacker profited from.
How to Protect Yourself
- Get rid of browser extensions you don’t need
Lesson two is that browser extensions sometimes get hacked. When they do, it can be a catastrophe for you. If you don’t absolutely have to have a browser extension, get rid of it.
Alternatively, deactivate extensions until you need them. Then activate them, use the extension and deactivate it again. This isn’t ideal, but it will reduce your risk if an extension is compromised for a few days.
That screenshot utility? If you don’t use it daily, dump it. That quote-of-the-day extension? Ditch it if you don’t need it.
In 2010, Chrome hit 10,000 extensions. Today, 7 years later, they probably have well over 100,000 extensions available for the Chrome browser. That many extensions create a large attack surface for malicious actors. Make sure you minimize your risk by removing those you don’t use.
2. Even the Pros get Phished
- Never click on a link if you don’t recognize a sender.
- Never click a link in an email and sign in to a service. Instead, if you are presented with a sign-in page, go back to the email and look at the email sender including their domain and look at the URL of the link you clicked very carefully.
- Never download an attachment in an email and open it unless you verify the sender. Even then, considering asking your sender to use a service like Google Docs that doesn’t require you to download attachments.
It is important to be aware that as these attacks become more popular, you are more likely to be targeted because you are a gateway to infecting a much larger group of people: your customers.Attacks targeting site owners are also a supply chain attack. You supply your large audience with content. By controlling your website and serving up a browser exploit, an attacker can take control of a large number of workstations in a single attack.
As site owners it is our responsibility to be more cautious than most when it comes to our security. We have an obligation to our customers and site visitors to stay secure.