In February, Google culled a little over 500 Chrome browser extensions from the web store. While it’s not abnormal to see large amounts of malware extensions suddenly disappear from existence, this particular collection was a special case. These 500-odd malicious extensions were all part of a massive ad fraud campaign that pingponged unwitting users from one fraudulent site to another, eating up data and processing power and in some cases eventually landing the victim on a phishing site.
What’s worse is that this scheme may have been going on for over two years before being discovered, and infected some 1.7 million victims.
A whole bunch of bad browser extensions
The scheme was uncovered by independent security researcher Jamila Kaya, in partnership with researchers from Duo Security (and with the help of their CRXcavator assessment tool for Chrome browser extensions). The team initially found 71 of these malicious browser extensions on the Chrome Web Store; after privately reporting their findings to the company, Google’s internal security team found over 430 more that were tied into the ad fraud scheme. Collectively, all of these extensions were downloaded and installed over 1.7 million times.
The scam relied on browser extensions that actually performed some sort of legitimate function on the surface. However, underneath the surface, they were also exfiltrating data and redirecting users to a variety of sites in the scam network. The list of bogus browser extensions includes weather and map services, games, and coupon delivery systems.
In this case, the malicious browser extensions used advertising cookies containing redirects to the ad fraud network’s command-and-control system. This method allowed the malware to evade the Chrome store’s automated fraud detection.
The redirects displayed ads that were a mix of legitimate businesses and malicious domains. The end user might sometimes see an ad for a big-name retail chain such as Macy’s or Best Buy, but the dangerous ads were being served invisibly in the background. The command-and-control system continually updated the rotation of ads, with the malicious ones usually stored on an Amazon AWS server.
Evidence in the ad fraud network’s architecture indicates that it started operation in late June 2017, but really ramped up activity in January 2019. At best, an end user would simply be fraudulently redirected through dozens of ads in rapid succession without seeing or being aware of most of them. At worst, the user would hit upon one of the custom-made malicious ads which would lift browser history or redirect them to a phishing site that attempted to steal personal and login information.
Why was Google allowing ad fraud for so long?
Google’s system for Chrome extensions has been known to be a problem for several years, and the company has been working in recent years to address it. The problem is simply one of resources; Google has not found a feasible way to review all of the code in the many extensions submitted to the Web Store, opening up opportunities for abuse of the API.
The Chrome Web Store has, for whatever reason, seemingly not been a priority issue for Google in spite of heavy advertising of the Chromebook as a secure alternative to Windows laptops. An update called Manifest v3 that addresses the exploits used here was in development since 2018 and finally implemented in late 2019, but it is still being tested and developers can still publish extensions under the vulnerable Manifest v2 in the interim.
Google has experienced a number of Chrome Web Store security issues in the time since this ad fraud scheme began. A malicious extension that captured keystrokes was discovered in 2017, and several similar ad fraud extensions (unrelated to this case) were suspended in 2018 after racking up half a million downloads between them.
For their part, Google claims that they conduct regular sweeps for shady browser extensions. In January, the company temporarily suspended all types of paid extensions from the Chrome store after a major uptick in fraudulent transactions. In spite of this, Google did not until recently seem to be able to detect the simple trick of changing JavaScript functions after installation rather than changing the site that the user connects to.
The site-wide ban of paid extensions while Google “comes up with a long-term solution” also indicates that the company simply can’t (or won’t) devote enough resources to proper Chrome security; either that, or the company has painted itself into a corner with the browser that even its vaunted engineering minds are struggling to get out of. This could have a ripple effect on Google’s main cash cow of advertising revenue, as Luke Taylor, COO and founder of ad fraud prevention specialist TrafficGuard, explains: “Given the prolific nature of these extensions and the impact on the digital advertising ecosystem and consumer privacy, you would expect browsers to be taking more proactive steps to mitigate these practices. This is rudimentary ad fraud that is able to syphon millions in ad spend from unsuspecting advertisers.”
Chrome users should check the Duo Security list of malicious browser extensions to verify that they are not running a compromised plugin.
