Over 500,000 Users Impacted by Malicious Chrome Extensions

Jan 16, 2018 | Blog

Most of the browsers today offer users ability to install extensions, a web based applications that can enhance the user’s overall experience, but they can also pose a threat with the ability to inject and execute a malicious code. Recently, ICEBRG detected a suspicious spike in outbound network traffic from a custom workstation which prompted an investigation that led to the discovery of four malicious Chrome extensions which managed to infect over half a million users worldwide, including employees of major organizations. Security researchers from US cyber-security firm ICEBRG have spotted four Chrome extensions featuring malicious code that were available through the official Chrome Web Store. The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns. According to researchers, the four Chrome extensions were designed to allow attackers to send malicious commands to users' browsers in the form of JavaScript code, but attackers only used this ability to perform click fraud by loading a site in the background and clicking on ads.

The names of the four extensions are:

  • Change HTTP Request Header (ppmibgfeefcglejjlpeihfdimbkfbbnm)
  • Nyoogle - Custom Logo for Google (ginfoagmgomhccdaclfbbbhfjgmphkph)
  • Lite Bookmarks (mpneoicaochhlckfkackiigepakdgapj)
  • Stickies - Chrome's Post-it Notes (djffibmpaakodnbmcdemmmjmeolcmbae)

The Nyoogle extension is still available on the Chrome Web Store, while three of the four extensions were removed from the Chrome Web Store. Many users still have the extensions loaded in their browsers. The company has published a detailed report on the extensions' malicious behavior in the hopes that users will take the time to check their browser and remove the malicious extensions for their computers. It is unclear if the same group is behind all four extensions, but ICEBRG said that all extensions featured similar tactics, techniques, and procedures.