Half a million Chrome users hit by malicious extensions

null

Half a million Chrome users have been using a couple of malicious extensions to their browsers, according to reports.

Researchers from security firm Icebrg detected four malicious extensions: Change HTTP Request Header, Nyoogle, Lite Bookmarks and Stickies. Between them, the extensions have been downloaded half a million times.

Change HTTP Request Header is, according to the duo, a legitimate feature which hides the browser type from being tracked. However, it downloads “a JSON blob from the ‘change-request[.]info’ and that blob pushes a configuration update. Only then does an obfuscated JavaSript gets pulled in from the control domain.

“Once injected, the malicious JavaScript establishes a WebSocket tunnel with ‘change-request[.]info’. The extension then utilises this WebSocket to proxy browsing traffic via the victim’s browser”, the post said.

The other three extensions use a similar process to inject risky JavaScript, the researchers claim. Stickies was particularly cheeky, trying “to obfuscate its ability to retrieve external JavaScript for injection by modifying its included jQuery library”.

Google has removed the extensions from the Chrome Store.

“The total installed user base of the aforementioned malicious Chrome extensions provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain," the report added.

"The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets. It should be noted that although Google is working to give enterprises more options for managing Chrome extensions, without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks."

Image Credit: JMiks / Shutterstock