Chrome extension accounts shipped malware
Phishing stole Chrome Web Store developer credentials and pushed malicious extension updates. The campaign injected ads, redirected traffic, and collected credentials.
Story
In 2017, a threat actor phished Chrome extension developers by impersonating the Chrome Web Store team. The lure sent maintainers to fake Google login pages, giving attackers the credentials needed to publish new versions of legitimate extensions through the normal Chrome Web Store update channel.
Copyfish and Web Developer were the first visible cases, but Proofpoint tied the spree to a broader set that included Chrometana, Infinity New Tab, Web Paint, and Social Fixer, and believed TouchVPN and Betternet VPN were hit the same way. BleepingComputer counted nearly 4.8 million installs across the eight extensions, while the six modeled leaf records here track the cases with public version evidence.
The payload was built for patience and reach. Proofpoint and Cloudflare both described a ten-minute delay after install or update, then a request for ga.js from a DGA-generated .win domain such as wd7bdb20e4d622f6569f3e8503138c859d.win. The loader could call second-stage scripts for ad replacement, fake repair popups, affiliate redirects, and Cloudflare credential harvesting from the victim's browser.
The ad-fraud work was not generic spray. The substituted banners covered 33 common ad sizes and focused heavily on adult sites and known ad networks, while the traffic redirection infrastructure overlapped with older fake browser-update and cookie-consent campaigns. The campaign shows why extension stores are software supply chains: a maintainer account is a release key, and once it is stolen the attacker can ship code through the same automatic update path users already trust.
Linked Attacks
2017
Web Paint 1.2.1 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Web Developer 0.4.9 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Social Fixer 20.1.1 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Infinity New Tab 3.12.3 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Copyfish 2.8.5 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Chrometana 1.1.3 was pushed through the Chrome Web Store after developer-account phishing in the 2017 extension hijacking spree.
Campaign Context
- Actor
- Cybercriminal
- Attribution
- Group
- Cause
- Unknown
- User Impact
- 4800000
Affected Packages
Notes
- This campaign groups separate Chrome Web Store developer-account compromises. Each extension is modeled as its own attack record because each developer account and extension listing was a distinct distribution boundary.
- TouchVPN and Betternet VPN are included in campaign scope because Proofpoint and Cloudflare named them as likely same-method compromises, but they are not modeled as leaf records because the public sources do not provide the same version-level detail as the six Chrome extension records above.
External References
- Chrome extension developers under a barrage of phishing attacksbleepingcomputer.com
- Chrome extension developers under attacka9t9.com
- Threat actor goes on a Chrome extension hijacking spreeproofpoint.com
- Keeping our users safeblog.cloudflare.com
- Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Usersbleepingcomputer.com
- Chrome extensions risks after hijacking spreesecurityaffairs.com
- Chrome browser extensions hijackeditnews.com.au
- Chrome Web Developer extension compromisednews.ycombinator.com
Source record: proprietary/campaigns/chrome-extension-hijacking-2017/meta.yaml