Google has removed over 500 malicious extensions from the Chrome Web Store over ad fraud. The extensions were found to be a part of a large fraudulent advertising network that injected adware into browsers and pulled browsing data while trapping users with redirect cycles. In some cases, the ads redirected users to websites belonging to big names like Dell and Best Buy, but a majority of them took users to sites that risk malware downloading and phishing. The volume of redirects was also high, which further multiplied the risk posed by these extensions.
The discovery of these shady extensions was made public in a research conducted by independent security researcher Jamila Kaya (@bumblebreaches) and information security expert Jacob Rickerd (@crxpert), and was later published on Cisco-owned Duo. Once the malicious behaviour of these extensions was reported to Google, the company conducted a sweep across the Chrome Web Store and removed more than 500 related extensions.
“We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies”, a Google spokesperson was quoted as saying by Duo.
As per the report, the now-removed Chrome extensions were presented as products that could offer advertising services. But they were found to be a part of a large network comprising of copycat plugins. The research found 70 of these extensions affecting around 1.7 million users, which means the net scale was much larger if there were over 500 such extensions involved in ad fraud.
The malicious Chrome extensions were reportedly created to hide the underlying ad mechanism from users. This made it easier to connect them to a command and control architecture so that browser data can be exfiltrated. During the research, it was found that the extension fraud network has been running for the past couple of years, but their activity potentially dates back to early 2010s. The malicious activity of these Chrome extensions mainly involved ad fraud through a stream of redirects.
Some of the redirects led users to seemingly harmless pages belonging to Dell, Macy's, and Best Buy among others. However, these redirecting streams were mainly used to make users reach a phishing-prone webpage and sites where malware could be downloaded. Bad actors used these extensions to cycle through redirect streams in order to generate ad revenue, and in some cases, these redirects passed well over 30 times.