Security researchers has disclosed information on 500 Google Chrome browser extensions that were covertly uploading private data to servers run by bad actors. When the private information was uploaded, it would be used to push users to malware-infected websites.

Before the extensions were removed from the Google Chrome Web Store. However, before their removal they were downloaded millions of times by users.

Many people leverage browser extensions to enhance the functionality of Chrome. Most extensions are useful or entertaining, such as weather widgets, language translation, email notifiers, and tab tools. Of course, ad blockers are also available and are among the most popular extensions.

However, some people use extensions as a way to attack users and systems. Bad actors can develop extensions that are intentionally filled with malware, or they can attack legitimate extensions and make them dangerous.

Attack Campaign

According to researchers, the nefarious extensions were part of a wider malvertising campaign that sought to harvest browser data from users. The scheme involved redirecting users from genuine ads to pages that were infected.

“These extensions were commonly presented as offering advertising as a service,” according to Jamila Kaya, an independent security researcher, and Jacob Rickerd, with Duo Security, in a Thursday analysis (via ThreatPost). “[Security researcher Jamila Kaya] discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and… identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.”

The attacker behind the campaign was active since January 2019 but ramped up his efforts between March and June. Google says it acted on the information and removed the browser.

“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said a Google spokesperson in a statement. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”

Clamping Down

Recently, Google took action on a wider scale against web extensions. As we reported in January, Google decided to disable all extensions that have a payment system. All extensions that require payment or provide in-browser transactions have been closed. Of course, many of these add-ons are legitimate. Google says the measure is temporary but did not say when the restriction will be lifted.

“Earlier this month the Chrome Web Store team detected a significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users,” the said in a notice, issued Friday. “Due to the scale of this abuse, we have temporarily disabled publishing paid items. This is a temporary measure meant to stem this influx as we look for long-term solutions to address the broader pattern of abuse.”