Jump to content
  • Chrome extensions with 1 million installs hijack targets’ browsers

    alf9872000

    • 484 views
    • 3 minutes
     Share


    • 484 views
    • 3 minutes

    Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome extensions that hijack searches and insert affiliate links into webpages.

     

    Because all these extensions offer color customization options and arrive on the victim's machine with no malicious code to evade detection, the analysts named the campaign "Dormant Colors."

     

    According to the Guardio report, by mid-October 2022, 30 variants of the browser extensions were available on both the Chrome and the Edge web stores, amassing over a million installs.

     

    extensions.png
    30 add-ons that were present on web stores until recently (Guardio)

    More than hijacking

    The infection begins with advertisements or redirects when visiting web pages that offer a video or download.

     

    However, when attempting to download the program or watch the video, you are redirected to another site stating you must install an extension to continue, as demonstrated below.

     

    When the visitor clicks on the 'OK' or 'Continue' button, they are then prompted to install an innocuous-looking color-changing extension.
     

    However, when these extensions are first installed, they will redirect users to various pages that side-load malicious scripts that instruct the extension on how to perform search hijacking and on what sites to insert affiliate links.

     

    "The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls," explains the Guardio report.

     

    "Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a '#' separated list of strings and regexes and the last is a comma-separated list of 10k+ domains."

     

    "To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup."

     

    process-diagram.png
    How the extension attack unfolds on the host (Guardia)
     

    When performing search hijacking, the extension will redirect search queries to return results from sites affiliated with the extension's developer, thus generating income from ad impressions and the sale of search data.

     

    Dormant Colors goes beyond this by also hijacking the victim’s browsing on an extensive list of 10,000 websites by automatically redirecting users to the same page but this time with affiliate links appended to the URL.

     

    Once the affiliate tags are appended to the URL, any purchase made on the site will generate a commission for the developers.

     

    Guardio has also shared a video demonstrating the affiliation hijacking component, shown below.

     

    Potential for more

    The researchers warn that using the same stealthy malicious code side-loading technique, the operators of Dormant Colors could achieve potentially nastier things than hijacking affiliations.

     

    The researchers say it’s possible to redirect victims to phishing pages to steal credentials for Microsoft 365, Google Workspace, bank sites, or social media platforms.

     

    more-damage.png

    Theoretical alternative attack (Guardia)

     

    While there are no signs that the campaigns are performing this more malicious behavior, the researchers say it could be enabled simply by side-loading additional scripts.

     

    The extensions and the websites listed in the report's IoCs section have been removed/taken offline, but the researchers warn that the operation is constantly renewed with new add-on names and domains.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...