Attacker pushes malicious Google Chrome extensions over ads

Share post:

A malvertizing campaign is being used to promote Google Chrome extensions that can hijack search queries and insert affiliate links into websites.

The malicious activity was uncovered by researchers at Guardio Labs, who said that by mid-October 2022, 30 variants of the browser extensions were available in both the Chrome and Edge web stores. These malicious browser extensions amassed over a million installations.

The infection process starts with advertisements or redirecting websites that offer a video or download. In the course of trying to download the program or watch the video, users are redirected to another website where they are asked to install an extension before they can continue.

As soon as a user clicks the ‘OK’ or ‘Continue’ button, they are prompted to install a color-changing extension. Once installed, these extensions redirect users to different pages where malicious scripts are stored that instruct the extension how to perform search hijacking. It also instruct the extension on what sites to insert affiliate links.

“The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls. Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes, and the last is a comma-separated list of 10k + domains. To finish it up, it also assigns a new URL to the location object, so you are redirected to the advertisement that finalizes this flow, as it was just another advertisement popup,” explained the Guardio report.

The researchers found that it is possible to redirect victims to phishing sites in order to steal access data for Microsoft 365, Google Workspace, bank pages or social media platforms.

They also warned that the attackers could use the same stealthy malicious code side-loading technique to carry out more malicious actions than hijacking affiliations.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways