Up to 1.7 million people have installed Google Chrome extensions that security researchers have found hide complex advertisement fraud, phishing, and malware networks.
Extensions and plug-ins give Chrome and other browsers third-party functionality such as the ability to easily save web pages, find discount coupons, and share content to social media. Malicious code hidden in extensions and plugins inevitably slips past security checks run by major browser developers including Google and Mozilla.
Independent security researcher Jamila Kaya, together with Duo Security hacker Jacob Rickerd, found 500 extensions on Google’s marketplace that hid complex, highly dynamic advertising networks that siphoned data and slung malware behind a veneer of retail promotions.
Victims are bounced rapidly between as many as 30 advertisements in a manner designed to defraud legitimate advertisers who pay for consumer views. Some of these bounces, or redirects, ultimately land victims on phishing pages or domains that contain malware.
“A large portion of these [networks] are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy,” the researchers said.
“Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site.”
Extensions and plugins have been long regarded with suspicion in security circles. Thousands have been found littered with dangerous vulnerabilities that expose otherwise secure browsers, revealed to have dubious privacy and data handling policies, or caught outright stealing user data.
The browser additions also often decrease the performance of browsers.
Kaya and Rickerd said their work demonstrated the “increasing real-world risk of Chrome extensions” and urged users to regularly audit their extensions and remove those they no longer use or recognise.
“Being more mindful and having access to more easily accessible information on extensions can help keep both enterprises and users safe,” they said.
Google thanked the researchers and said it will use the extension violations to train its security tools and teams.