NES Africa Group

QUESTIONS? CALL: +27 (87) 148 9313
  • Support Tickets
  • Get a Quote
  • HOME
  • SERVICES
    • ONLINE MARKETING
      • Web Design
      • Search Engine Optimization
      • Monthly Retainer Plans
      • Website Service Sign up
      • Portfolio
    • WEB HOSTING
      • Web Hosting
      • Hosting Sign up
    • IT SOLUTIONS
      • PC & Network Support
      • Monthly Retainer Plans
    • OUR POLICIES & OTHER
      • Terms & Conditions
      • Privacy Policy
  • F.A.Q
  • Blog
  • CONTACT
  • Home
  • What’s Trending
  • Security
  • 4.8 million affected by Chrome Extension attacks targeting site owners
June 26, 2022

4.8 million affected by Chrome Extension attacks targeting site owners

Thursday, 17 August 2017 / Published in Security

4.8 million affected by Chrome Extension attacks targeting site owners

During the past 3 months, eight Chrome browser extensions were compromised and the attacker used them to steal Cloudflare credentials and serve up malicious ads.

This post discusses exactly what happened, how to protect yourself and what the wider implications are of this supply chain attack.

How the Chrome Extensions Were Compromised

In June, July and August, developers of the following Chrome extensions had their login credentials stolen through a phishing attack. The extensions affected are:

  • Web Developer – Versions 0.4.9 affected
  • Chrometana – Version 1.1.3 affected
  • Infinity New Tab – Version 3.12.3 affected
  • CopyFish  – Version 2.8.5 affected
  • Web Paint – Version 1.2.1 affected
  • Social Fixer 20.1.1 affected
  • TouchVPN appears to have been affected but the version is unclear
  • Betternet VPN also appears to have been affected but no version was provided

Based on total installs for these extensions, the attackers targeted a total of 4.8 million users. The developers of these Chrome extensions all had their account credentials compromised. They received an email that looked like this:

The link in the email used the bit.ly URL shortener to redirect the developer to a fake login page which harvested their credentials and allowed the malicious actor to take control of the chrome extension developer’s account.

How the Attackers Modified Affected Chrome Extensions

Once the attackers had access to modify the code in these Chrome extensions and release new code, they made a change that injected their own malicious Javascript into the extensions. The new code looked like this:

The code injects Javascript from the attacker’s own domain into the victim’s browser. The victim here is someone who is using the Chrome web browser and has one of these extensions installed.

This allows an attacker to perform any action as the victim. This includes accessing any website the victim is signed into and modifying the content of any web page that the victim views. Once an attacker has control of one of your Chrome extensions, they own your web browser.

How Cloudflare Credentials Were Stolen

Once a victim installed a compromised Chrome extension, the extension would steal Cloudflare credentials if the victim has a Cloudflare account. The extension did this by making a request to a URL on Cloudflare to get an API key.

Once the attacker’s compromised extension gets the API key, it sends that and the user email to the attacker website. The code that does this is shown below:

Why Cloudflare Credentials Were Stolen

Once the attacker has a site owner’s Cloudflare credentials, they can perform a variety of malicious actions. This includes modifying a website’s DNS entry to point the site at the attacker’s own server. The API call they would make to do this is the “Update DNS record” function in the Cloudflare API.

This is an example request showing how the user email and API key is used in Curl from the command line to update a DNS record:

At this time we have no reports of websites having their traffic redirected by the attacker. They may have collected credentials for a future attack.

Attackers Engaged in Malvertising

In addition to stealing Cloudflare credentials, the attackers engaged in ‘malvertising’. The malicious Chrome extension code served up ads belonging to the attacker.

They did this by hijacking ads from well known ad networks and replacing those ads with their own ads. Most of the substitutions occurred for ads being served from adult websites.

Many of the ads were a fake alert telling the browser owner they need to repair their PC. They were then redirected to an affiliate program which the attacker profited from.

How to Protect Yourself

1. Even the Pros get Phished

Lesson number one from this attack is that, as it’s been reported in the past, even those of us who are seasoned online professionals can fall victim to a phishing or spear phishing attack. Make absolutely sure that if you receive an email, you verify the origin and think before you click or download.

  1. Never click on a link if you don’t recognize a sender.
  2. Never click a link in an email and sign in to a service. Instead, if you are presented with a sign-in page, go back to the email and look at the email sender including their domain and look at the URL of the link you clicked very carefully.
  3. Never download an attachment in an email and open it unless you verify the sender. Even then, considering asking your sender to use a service like Google Docs that doesn’t require you to download attachments.

2. Get rid of browser extensions you don’t need

Lesson two is that browser extensions sometimes get hacked. When they do, it can be a catastrophe for you. If you don’t absolutely have to have a browser extension, get rid of it.

Alternatively, deactivate extensions until you need them. Then activate them, use the extension and deactivate it again. This isn’t ideal, but it will reduce your risk if an extension is compromised for a few days.

That screenshot utility? If you don’t use it daily, dump it. That quote-of-the-day extension? Ditch it if you don’t need it.

In 2010, Chrome hit 10,000 extensions. Today, 7 years later, they probably have well over 100,000 extensions available for the Chrome browser. That many extensions create a large attack surface for malicious actors. Make sure you minimize your risk by removing those you don’t use.

Supply Chain Attacks on the Rise

The NotPetya ransomware attacks that was reported on recently started with an accounting firm in Ukraine, a company called M.E. Doc, having their software distribution system compromised. This allowed an attacker to distribute ransomware out to customers of M.E. Doc.

This kind of attack is known as a supply chain attack – when an attacker targets an upstream provider of hardware or software, compromises their systems, and infects their customers.

This attack on the developers of Chrome Extensions is another example of a supply chain attack in action.

If you are a developer, it is important to be aware that as these attacks become more popular, you are more likely to be targeted because you are a gateway to infecting a much larger group of people: your customers.

Attacks targeting site owners are also a supply chain attack. You supply your large audience with content. By controlling your website and serving up a browser exploit, an attacker can take control of a large number of workstations in a single attack.

As site owners it is our responsibility to be more cautious than most when it comes to our security. We have an obligation to our customers and site visitors to stay secure.

Source: Wordfence

Tagged under: Security

What you can read next

Cisco to address Cyber Security Risks Inhibiting Digital Ambitions at GISEC 2016
Attackers deploy rogue proxies on computers to hijack HTTPS traffic
AVG’s Chime mesh-network router comes with a side of anti-virus

Featured Posts

  • BabaYaga: The WordPress malware that eats other malware

    Recently, Defiant’s analysts have been tracking...
  • The IoT can make a major impact on Africa

    “The Internet of Things (IoT), which bridges th...
  • Decreasing fibre installation costs

    South Africa is currently experiencing phenomen...
  • FTTX adds tremendous value to communities

    South Africa has recently seen fast-paced devel...

Categories

  • Hardware
  • Memory
  • Mobile
  • Networking
  • News
  • Operating Systems
  • Security
  • Software
  • Web Design

Tag Cloud

Business Mobile Networking Security Storage Website

GET A FREE QUOTE

Please fill this form and we'll get back to you as soon as possible!

GET IN TOUCH

 Tel: +27 (87) 148 9313
 Fax: +27 (86) 539 4009

 Email: tech@nes-africa.com
 Email: support@nes-africa.com

SERVICES

  • Web Design + Packages
  • Unlimited Web Hosting
  • Monthly Retainer Website Maintenance Plans
  • IT Technical Support + Network Services
  • Support Tickets

OUR TWEETS

over a year agoCOURSE: Concise Dashboard Reporting in Excel DATES: 17th - 18th October, 2019 VENUE: City Lodge Hotel, Fourways… https://t.co/9jkGh4506U
over a year agoCOURSE: Gender Based Violence DATES: 31st July - 2nd August, 2019 VENUE: Protea Hotel Balalaika, Sandton #Gender… https://t.co/YQfFZToCWs
over a year agoCOURSE: Training Needs Analysis, Skills Auditing & Training Evaluation DATES: 23rd - 24th May, 2019 VENUE: City Lod… https://t.co/GOWnDeAPlA
over a year agoCOURSE: Concise Dashboard Reporting in Excel DATES: 28th - 29th March, 2019 VENUE: City Lodge Hotel, Fourways… https://t.co/VEDBFBCLso
Follow @NESAfrica
  • GET SOCIAL
NES Africa Group

© 2015 - 2021. All rights reserved. A Division of NES Africa Group.

TOP