These extensions ran malicious ads and uploaded private browsing data to servers without user consent. The researchers found that the malicious actors had been operating for at least two years and affected about 1.7 million users.
Kaya made use of Duo’s free automated Chrome extension security assessment tool CRXcavator for the initial findings. The researcher later collaborated with other researchers at Duo for finding more evidence.
“The Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” wrote the researchers in a blog post. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the user’s knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”
For those wondering how these attackers managed to snoop on your browsing data, they relied primarily on plugins that’d redirected users to malicious websites. The researchers point out that the plugins had the same name as the harmful website.
For instance, the researchers found similar source code on two plugins namely Mapstrek and Arcadeyum among others. The malicious websites linked to the plugins were Mapstrekcom and Arcadeyumcom. These websites were hosted on AWS.
Reference: Click Hear