In a detailed explanation, a member of the company's staff, who uses the pseudonym Kafeine, said the compromise of these extensions had taken place towards the end of July and the beginning of August.
The attacker(s) had gained access to the extensions through the Google accounts of the authors, using a phishing scheme to obtain the necessary credentials. A screenshot of a typical phishing email can be seen below.
Extensions that were examined included Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, CopyFish 2.8.5, Web Paint 1.2.1 and Social Fixer 20.1.1.
|
One developer, Chris Pederick, who creates the Web Developer for Chrome extension, co-operated with the Proofpoint so they could write a detailed explanation of how the compromise was being effected.
One of the affiliate programmes receiving the hijacked traffic.
Chrome extensions are available from Google's Chrome store. However, third-party extensions can be installed by those who have some technical knowledge.
Kafeine wrote that the compromised version of an extension tried to substitute ads in a victim's browser, diverting traffic from legitimate advertising networks.
Many of the diverted requests were for ads from porn sites. "In many cases, victims were presented with fake JavaScript alerts prompting them to 'repair' their PCs, then redirecting them to affiliate programmes from which the threat actors could profit.," Kafeine said.
Screenshots: Courtesy Proofpoint