Malicious Chrome Extensions in official Store serve infected links on Facebook

Pierluigi Paganini September 12, 2014

Security experts at TrendMicro have uncovered a new malicious campaign based on a Chrome extension deployed on the official Chrome Store.

A few months ago I wrote an article on the presence of a malicious Chrome browser extension, dubbed Cryptsy Dogecoin (DOGE) Live Ticker, available on the official store that was able to steal digital coins. Security experts have noticed a significant increase for the number of malicious browser extensions. Authors of malware are exploiting browser add-ons to conduct illicit activities.

Google warned its users to download and install  browser extension from the Chrome official store, in this way the company could analyze the security of the additional components.

Unfortunately, cyber criminals have already exploited official channels like Google Paly store and Google Chrome official store to serve malicious code, in these cases threat actors could benefit of the wide audience of the official stores to infect a large number of users.

Experts at TrendMicro recently detected a new click fraud campaign based on a malware able to bypass the Chrome Extension Security Feature installing a malicious browser extension. The victims of the campaign are mainly based in Brazil, other countries with a meaningful number of infections are the UK, the US and Argentina.

Bad actors behind the malicious campaign exploit social media platform for their attack, they spammed messages on Facebook containing a link to a video related to drunk girls. After victim clicks on the link, he will be redirected to a site which looks like YouTube. Once landed on the bogus YouTube website a notification will appear stating that a particular Chrome extension must be installed in order to play the video.

chrome extension YouTube

If the user accepts to install the Chrome extension, detected as BREX_FEBIPOS.OKZ, he will be redirected to the official Chrome Web Store to download the malicious component. Once installed the Chrome extension, the user is redirected to a real YouTube video of drunk girls.

chrome extension YouTube 2

The malicious Chrome extension is able to impersonate victims on Facebook posting comments, sending messages and links to serve malicious links and spreads the infection itself.

The experts at TrendMicro discovered that the author of the malicious campaign rent a virtual private server (VPS) in Russia where he registered the about 30 domains, including:

  • meusvirais[.]info – C&C where the stolen data from infected users is sent. The stolen data refers to account credentials from popular online services like Google, Facebook and Twitter.
  • cbrup[.]info – domain used to maintain software for breaking CAPTCHAS while stealing information. This server also receives stolen data.
  • SuperFunVideos[.]info – used to register the extension at Chrome Store.
  • brsupbr[].info – not used in this attack

“He has at least one more VPS that hosts about 30 different domains selling weight loss products, English language tutoring services, and work-from-home offers. He uses as an online counter for his number of victims and Dropbox for hosting fraudulent pages.” states the official post.

The malicious Chrome extension was removed from Chrome Web Store, anyway avoid clicking links from messages and  avoid to install unnecessary components. Carefully read reviews and extension ratings before installing it.

Pierluigi Paganini

(Security Affairs –  Chrome extension, malware)

you might also like

leave a comment