Attacker pushes malicious Google Chrome extensions over ads

Share post:

A malvertizing campaign is being used to promote Google Chrome extensions that can hijack search queries and insert affiliate links into websites.

The malicious activity was uncovered by researchers at Guardio Labs, who said that by mid-October 2022, 30 variants of the browser extensions were available in both the Chrome and Edge web stores. These malicious browser extensions amassed over a million installations.

The infection process starts with advertisements or redirecting websites that offer a video or download. In the course of trying to download the program or watch the video, users are redirected to another website where they are asked to install an extension before they can continue.

As soon as a user clicks the ‘OK’ or ‘Continue’ button, they are prompted to install a color-changing extension. Once installed, these extensions redirect users to different pages where malicious scripts are stored that instruct the extension how to perform search hijacking. It also instruct the extension on what sites to insert affiliate links.

“The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls. Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes, and the last is a comma-separated list of 10k + domains. To finish it up, it also assigns a new URL to the location object, so you are redirected to the advertisement that finalizes this flow, as it was just another advertisement popup,” explained the Guardio report.

The researchers found that it is possible to redirect victims to phishing sites in order to steal access data for Microsoft 365, Google Workspace, bank pages or social media platforms.

They also warned that the attackers could use the same stealthy malicious code side-loading technique to carry out more malicious actions than hijacking affiliations.

The sources for this piece include an article in BleepingComputer.


Related articles

Costs from Global CrowdStrike Outage Could Exceed $1 Billion

The global tech outage caused by a faulty CrowdStrike update on Friday could result in damages exceeding $1...

CrowdStrike update: Warnings from national cyber agencies, repair options from Microsoft

National cybersecurity agencies in the U.S., Canada, the U.K. and Australia issued security warnings about the faulty CrowdStrike...

CrowdStrike update causes global IT outages, fix is available

Some airlines, banks and government services around the world have been affected by a faulty software update for...

Charges dismissed in SolarWinds hacking case

A judge has dismissed most of the Securities and Exchange Commission's (SEC) fraud charges against SolarWinds related to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways