Chrome users, beware! Researchers at enterprise security firm Iceberg have discovered four malicious extensions in the Google Chrome Web store, that have apparently affected more than half a million Google Chrome users around the world. The researchers have already informed Google, and it appears Google has since removed all four malicious extensions from the Chrome Web store.
“Recently, Iceberg detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally,” the security firm’s blog reads.
The malicious extensions discovered are Change HTTP Request Header, Nyoogle, Lite Bookmarks, and Stickies. “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information,” they added. Click fraud campaigns “enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click,” Iceberg wrote.
Additionally, such attackers could use this same capability to “browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties”. While these extensions have now been removed, researchers warn that the malware may still be present on impacted machines, even if the extensions are no longer available in the store. They may also still be available for download via third-party Chrome extension sources.
Researchers says that the effect from such a scheme can be massive. A similar botnet uncovered in 2013, had more than 120,000 host machines, and it cost advertisers $6 million per month before it was taken down. It’s unclear how much money the individuals behind this new batch of malicious Chrome extensions racked up from the scheme.
Moreover, the blog notes that “although Google is working to give enterprises more options for managing Chrome extensions, without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks”.