Google removes four extensions that used infected computers in click fraud scheme.
Researchers have uncovered four malicious extensions with more than 500,000 combined downloads from the Google Chrome Web Store, a finding that highlights a key weakness in what’s widely considered to be the Internet’s most secure browser. Google has since removed the extensions.
Researchers from security firm ICEBRG stumbled on the find after detecting a suspicious spike in outbound network traffic coming from a customer workstation. They soon discovered it was generated by a Chrome extension called HTTP Request Header as it used the infected machine to surreptitiously visit advertising-related Web links. The researchers later discovered three other Chrome extensions—Nyoogle, Stickies, and Lite Bookmarks—that did much the same thing. ICEBRG suspects the extensions were part of a click-fraud scam that generated revenue from per-click rewards. But the researchers warned that the malicious add-ons could just as easily have been used to spy on the people or organizations who installed them.
“In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed,” ICEBRG researchers wrote in a report published Friday. “In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks.”