Wordfence, a security vendor focused on the WordPress CMS, has published a warning about attacks against Google Chrome browser extensions. The blog was written by Mark Maunder, CEO, Wordfence and it lists the extensions at risk. It also gives advice for webmasters on how to protect themselves against attack.
According to Maunder: “During the past 3 months, eight Chrome browser extensions were compromised and the attacker used them to steal Cloudflare credentials and serve up malicious ads.”
Maunder estimates that the total number of customers using these browser extensions is over 4.8 million. How many were affected is not known and unlikely to ever be known.
Which Google Chrome extensions have been compromised?
The eight compromised extensions and their version numbers are:
- Web Developer – Versions 0.4.9 affected
- Chrometana – Version 1.1.3 affected
- Infinity New Tab – Version 3.12.3 affected
- CopyFish – Version 2.8.5 affected
- Web Paint – Version 1.2.1 affected
- Social Fixer 20.1.1 affected
- TouchVPN appears to have been affected but the version is unclear
- Betternet VPN also appears to have been affected but no version was provided
In each case, developers were persuaded to hand over their account credentials for security provider Cloudflare. The attacks were delivered as part of a tightly controlled spear phishing campaign. Developers received an email that appeared to come from customer support company Freshdesk.Com. They were told that there was a problem with their extension that could lead to it being removed from the Google Chrome Web Store.
To help the developers fix the problem there was a “log in to your developer dashboard” hyperlink with a shortened URL. It seems that none of the developers checked the URL by using a URL expander. All they did was click on the link in the email. This is a commonly used attack vector and it will embarrass all of the developers who fell for this trick.
What did the attackers do?
The attackers modified the Chrome extensions and released them as a new version. Maunder has outlined the code that they used. This code allows the attackers to take over the Chrome browser of anyone who has one of the browser extensions installed.
The attackers were then able to do multiple things. They could:
- Take over any website that the victim was logged into and modify web pages. For developers who manage sites for multiple customers this is a devastating attack.
- Steal Cloudflare credentials by using them to get an API key.
- With the Cloudflare API they could redirect the website DNS entry to point to a fake domain owned by the attackers.
- Redirect legitimate adverts by hijacking them and pointing them to adult websites that they own.
The redirection of advertising or malvertising appears to be the primary goal of these attacks. The attackers are paid for each time an advert is clicked on. The more legitimate adverts they can hijack the more money they can make.
Interestingly, Maunder has not suggested that the attacker have sold access to third parties. This is a common and very lucrative route for many hackers and cyber criminals. It opens up visitors to a website to being redirected to websites that install a range of malicious code. That code can install ransomware, key loggers, banking malware and a range of other nasty code.
What does this mean?
The big lesson here, as Maunder points out, is that anyone can fall victim to the right spear phishing campaign. In this case it seems to have taken very little effort to take over these eight services. There is no evidence that this is a definitive list and there could be other extensions out there whose developers are too embarrassed to admit to being phished.
The lesson here is never click on a link in an email even if you check it. Always open a new browser window and type the URL in. This will defeat a number of hidden attacks that can redirect you to a malicious site.
Another lesson that Maunder highlights is the need to uninstall unwanted components. Some of these might have been installed as limited trials, others may no longer be used. Most develoeprs are guilty of having a number of browser extensions and website add-ons they no longer need. Removing them will reduce the risk of an old component being used to hack a computer.