designsoliman - Fotolia

Hijacked Chrome extensions infect millions of users

News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more.

New research shows millions of Google Chrome users have been hit with malware through eight hijacked Chrome ex...


According to threat protection vendor Proofpoint, the eight compromised Chrome browser extensions include two that were hijacked earlier this month -- Copyfish and Web Developer. According to the Proofpoint researcher known as Kafeine, the other six compromised extensions are Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. From downloads of all eight hijacked Chrome extensions, nearly 4.8 million users received malicious code from the attackers.

"At the end of July and beginning of August, several Chrome Extensions were compromised after their author's Google Account credentials were stolen via a phishing scheme," Kafeine wrote in a blog post. "This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft."

Targeted users were shown a JavaScript alert that said their PC needed to be repaired and were then directed to pay for the false repairs, enabling the attackers to profit from this scheme.

According to Kafeine, the attackers "are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims' browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions."

However, Kafeine also noted that, "in addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks."

There is no proof yet that all of the hijacked Chrome extensions were targeted by the same hacker or hacking group, though the compromises all happened in the same time frame.

Google has dealt with security issues surrounding Chrome browser extensions in the past. In 2015, the company implemented a policy that requires all Windows and Mac users and developers to install extensions only from the Chrome Web Store. This change was spurred by concerns about extensions that enabled the download of malware. The policy update also included a feature called Enhanced Item Validation, which runs additional checks on extensions before they are published in the Chrome Web Store.

In other news

  • DNS provider Cloudflare terminated the account of neo-Nazi website the Daily Stormer. In an official statement, the company's co-founder and CEO Matthew Prince wrote: "Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology." However, in a candid internal notice to Cloudflare employees, Prince said the decision was personal. "I woke up this morning in a bad mood and decided to kick them off the Internet," he wrote. While the company has previously maintained content neutrality, Prince said Cloudflare still received requests to terminate its distributed denial-of-service (DDoS) attack protection services of the site. "The initial requests we received to terminate their service came from hackers who literally said: 'Get out of the way so we can DDoS this site off the Internet,'" wrote Prince. In the official statement, he went on to acknowledge his decision is "dangerous," but argued it likely won't set a precedent. The Electronic Frontier Foundation (EFF), however, issued a statement that expressed concern over Cloudflare's decision, arguing that "because Internet intermediaries, especially those with few competitors, control so much online speech, the consequences of their decisions have far-reaching impacts on speech around the world. And at EFF we see the consequences first hand: every time a company throws a vile neo-Nazi site off the Net, thousands of less visible decisions are made by companies with little oversight or transparency. Precedents being set now can shift the justice of those removals." While the EFF is clear that it disagrees with the content on the Daily Stormer, the group said it defends "the right of anyone to choose what speech they provide online; platforms have a First Amendment right to decide what speech does and does not appear on their platforms."
  • A Venafi survey found that 72% of security professionals don't believe that encryption backdoors would make a nation safer from terrorists. Venafi surveyed over 290 attendees of the Black Hat USA conference in July and found that "the majority of industry professionals believe encryption backdoors are ineffective and potentially dangerous." In a blog post, Venafi wrote that, "it is widely acknowledged that backdoors into encryption technology create vulnerabilities that can be exploited by a wide range of malicious actors, including hostile or abusive government agencies," and despite the danger, many government officials advocate for encryption backdoors to "strengthen national security and hinder terrorism." Respondents of the survey disagree -- 91% of them said cybercriminals could take advantage of encryption backdoors that are government mandated. Another notable finding is that 81% of respondents said they believe that governments should not have the ability to force technology companies to give them access to encrypted user data.
  • VMware patched an important denial-of-service vulnerability in its NSX-V Edge products. The vulnerability, according to VMware's advisory, is that the "VMware NSX-V implementation of the OSPF protocol doesn't correctly handle the link-state advertisement (LSA). A rogue LSA may exploit this issue resulting in continuous sending of LSAs between two routers eventually going in loop or loss of connectivity." VMware also noted that the vulnerability, classified as CVE-2017-4920, is tough to exploit because an attacker would need local access to the targeted system in order for an exploit to be possible. Security researchers Adi Sosnovich, Orna Grumberg and Gabi Nakibly first reported the vulnerability to VMware. Patches are now available for all affected products, which could be running on any platform.

Next Steps

Discover the risks of the Adobe Acrobat Chrome extension

Learn more about Google's policy for Chrome extension security

Check out some methods for users to identify phishing techniques

Dig Deeper on Application and platform security