Chrome Extension With 1 Million Installation Stealing Data From Brower

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
It has recently been discovered by the security researchers at Guardio Labs that a new malvertising campaign is on the loose. This malicious campaign is intended to achieve the following objectives:

  • Push search hacking Chrome extensions.
  • Put affiliate links on web pages in order to earn affiliate commissions.

The cybersecurity researchers

Dormant Colors Infection

When a victim visits a website that offers video or downloadable content, the victim will be bombarded with advertisements and malicious redirects that lead to the initial infection chain.

Here in the below video you can see it in action:-

It should be noted that upon installation of these extensions, they side-load the malicious scripts by redirecting the victims to the multiple dangerous web pages.

The primary objective of these malicious scripts is to make the extension perform search hijacking and insert affiliate links.

These malicious extensions are capable of redirecting the search queries to fetch the search results from the websites that are associated with the developers of the extensions.

By doing this, ad impressions and the sale of search data will generate a hefty revenue for the threat actors or the operators of these malicious extensions.

On top of this, Dormant Colors also steals the browsing data of the victim from a comprehensive list of 10,000 websites. What the threat actors do is, they automatically redirect the victim to a page which contains affiliate links that are advertised as part of the URL.

It is the operators of the malicious extensions who will generate a commission on every sale made on the site once the affiliate tags are appended to the URL.

Powerful C&C

It is possible that Dormant Colors’ operators may achieve far more detrimental things than hijacking affiliations using these same stealthy malicious techniques.

Not only that, but threat actors also get the ability to redirect victims to fake websites with malicious scripts that steal the credentials of the following services:-

  • Microsoft 365
  • Google Workspace
  • Banking
  • Social media accounts

Despite this, neither of these campaigns seems to be performing any malicious activities since there is no indication that they are.