Around 500 Google Chrome browser extensions, which were found to be secretly uploading private browsing data to servers controlled by hackers, have now been deleted.
The browser extensions, which were downloaded millions of times from Google’s Chrome Web Store, further routed victims’ browsing data to malware-laced websites, according to independent news site Threatpost.
According to researchers cited in the Threatpost report, the malicious extensions were a part of a malvertising campaign that harvested browser data.
Malvertising campaigns are used to further fraudulent activity, including data exfiltration, phishing or ad fraud. In this case, hackers were redirecting victims from legitimate online ad streams to pages laced with viruses and malware.
According to Jamila Kaya, an independent security researcher cited in Threatpost, these extensions were masked as an online advertisement or a web service.
Kaya discovered that they were part of a network of copycat plug-ins sharing nearly identical functionality. The researchers, who tracked a few dozen extensions and identified 70 matching their patterns, across 1.7 million users, raised their concerns with Google and asked it to intervene in the matter.
The tech giant then tracked 430 additional extensions that were linked to malvertising campaigns. The extensions had almost no ratings on Google’s Chrome Web Store, and the source code of the extensions were all nearly identical.
Researchers noted that once downloaded, the extensions would connect the browser clients to a command-and-control (C2) server and then exfiltrate private browsing data without the user’s knowledge.
Researchers believed that the actors behind this campaign have been active since January 2019, with activity escalating between March and June.
According to the report, the extensions would redirect browsers to various domains with advertising streams. The legitimate ad streams were coupled with malicious ad streams that redirected users to malware and phishing landing pages.
The case highlights a serious problem plaguing internet users — the issue of security threat. It is not the first time such a campaign is being carried out. In 2017, a malicious Google Chrome extension spread in phishing emails, stole any data posted online by victims.
In 2018, four malicious extensions were discovered in the official Google Chrome Web Store, with a combined user count of more than 500,000. And, in January 2019, the Google Chrome and Mozilla Firefox teams cracked down on web browser extensions that stole user data and executed remote code, among other bad actions.
Google has also initiated a programme that will pay out bounties to researchers who find extensions that violate this policy, the Threatpost report added.