Attackers Go on a “Chrome Extension Hijacking Spree” – Several More Compromised
Last month it was reported that a Chrome extension, Copyfish, was compromised after its developer responded to a phishing email - with his Google password. While it may have appeared like a one-off case, researchers have now revealed that at least eight more Chrome extensions are no longer safe to use after someone stole the author’s Google Account credentials via a phishing scheme. This has in turn put the users of those extensions at risk of traffic hijacking and potential theft of credentials.
Security experts at Proofpoint released their research, confirming the list of compromised Chrome extensions:
We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3”  , “CopyFish 2.8.5” , “Web Paint 1.2.1” , and “Social Fixer 20.1.1”  were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.
Criminal hackers and spammers continue to look for new ways to drive traffic to affiliate programs and serve malicious advertisements to their users. In this new case that was first reported last month, researchers noted that attackers are now leveraging Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers.
"At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme," Proofpoint wrote. "Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions."
Proofpoint has not identified any developers except for Chris Pederick who is the author of the Web Developer Chrome extension and had tweeted about the compromise of his extension earlier this month, which actually sparked this research.
Chrome extension developers seem to be on cybercriminals' hit list right now
The security firm's latest research reveals that the same attack vector has been used against other developer(s) too. These compromised extensions seem to have the goal of substituting ads on a victim's browser, hijacking traffic from legitimate ad networks. They also try to trick users into clicking on "repair" programs that redirect them to affiliate programs from which the threat actors could profit from.
In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.
While the attackers did this on a number of websites, they focused most on adult websites with carefully crafted substitutions.
The first case of attackers using Chrome extensions for their scams was reported in July when an A9t9 developer behind the Copyfish extension fell for a phishing email purportedly sent from Google. "The unlucky team member entered the password for our developer account," A9t9 Software had said in response. Since then the company has worked with Google to get back full control of their extension.
A9t9 had written at the time that "phishing for Chrome extensions was simply not on our radar screen," which is why they ignored some "clear giveaways." With Proofpoint's latest revelations, it appears that many more developers will have to specifically devote their energy on not falling for phishing attacks.