Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and siphon off user browsing data to servers under the control of attackers.
These extensions were part of a malvertising and ad-fraud campaign that's been operating at least since January 2019, although evidence points out the possibility that the actor behind the scheme may have been active since 2017.
In addition to requesting extensive permissions that granted the plugins access to clipboard and all the cookies stored locally in the browser, they periodically connected to a domain that shared the same name as the plugin (e.g., Mapstrekcom, ArcadeYumcom) to check for instructions on getting themselves uninstalled from the browser.
Upon making initial contact with the site, the plugins subsequently established contact with a hard-coded C2 domain — e.g., DTSINCEcom — to await further commands, the locations to upload user data, and receive updated lists of malicious ads and redirect domains, which subsequently redirected users' browsing sessions to a mix of legitimate and phishing sites.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum