More than a half-million workstations at major global organizations were recently found infected with malicious Chrome web browser extensions that were likely used to commit click fraud and search engine optimization manipulation, according to researchers from network security analytics firm ICEBRG.
In a Jan. 15 blog post, members of the ICEBRG Security Research Team report finding four separate extensions, which could have also enabled attackers to access affected organizations' corporate networks and user information. The malicious extensions, named "Change HTTP Request Header," "Nyoogle - Custom Logo for Google," "LiteBookmarks," and "Stickies - Chrome's Post-it Notes," have been removed by Google from the Chrome Web Store, the researchers noted.
The malicious extensions were uncovered during an analysis of unusually highly outbound traffic flowing from a ICEBRG customer's workstation to a European virtual private server provider. Further analysis revealed that while the extensions don't contain any overtly malicious code, they do have two items that, when combined, enable the injection of arbitrary JavaScript code whenever the update server receives a permission request for retrieving JSON from an external source. The researchers observed that this malicious, obfuscated JavaScript even checks for native Chrome debugging tools to prevent detection and subsequent analysis by security professionals.
ICEBRG report that after successful injection, the malicious code next establishes a WebSocket tunnel with its command-and-control server so that it can proxy browsing traffic using the victim's browser in order to visit advertising-related domains, presumably for click-fraud purposes. "The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties," the blog post adds.
Although the report states that more than 500,000 users were collectively impacted, some of these victims may be non-unique. Regardless, "The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain," the report concludes. "The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets."
