March 19, 2020
According to Cisco’s Duo Security research about 500 Chrome extensions were removed as spying on user’s browser history mainly for advertising purposes. Last year Duo Security released CRXcavator, automated Chrome extension security assessment tool, to analyze and find risky extensions. Browser extensions have been known as a weak point for personal security and privacy, due to their potential for misuse under the general guise of he…lpful applications. Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemes. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector. Security researcher Jamila Kaya (@bumblebreaches) used CRXcavator to uncover a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. These extensions were commonly presented as offering advertising as a service. Collaboration of Duo Security and Jamila made it possible for them to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google. Google worked to validate the findings and went on to fingerprint the extensions. This allowed Google to search the entire Chrome Web Store base to discover and remove more than 500 related extensions.