Cyber Security News

Chrome Extension With 1 Million Installation Stealing Data From Browser

It has recently been discovered by the security researchers at Guardio Labs that a new malvertising campaign is on the loose. This malicious campaign is intended to achieve the following objectives:

  • Push search hacking Chrome extensions.
  • Put affiliate links on web pages in order to earn affiliate commissions.

The cybersecurity researchers titled this malvertising campaign “Dormant Colors.” In total 30 variants of malicious extensions have been identified by security experts during the second half of October 2022 on the web stores of popular web browsers:-

  • Chrome
  • Edge

The surprising thing about these malicious browser extensions is they all have managed to achieve more than 1 million active installs globally.

The operators of this campaign designed all the malicious extensions in such a way that they easily evade detection since it doesn’t contain any malicious code and offers multiple color customization options to lucrate the users.

Dormant Colors Infection

When a victim visits a website that offers video or downloadable content, the victim will be bombarded with advertisements and malicious redirects that lead to the initial infection chain.

Here in the below video you can see it in action:-

It should be noted that upon installation of these extensions, they side-load the malicious scripts by redirecting the victims to the multiple dangerous web pages. 

The primary objective of these malicious scripts is to make the extension perform search hijacking and insert affiliate links.

These malicious extensions are capable of redirecting the search queries to fetch the search results from the websites that are associated with the developers of the extensions. 

By doing this, ad impressions and the sale of search data will generate a hefty revenue for the threat actors or the operators of these malicious extensions.

On top of this, Dormant Colors also steals the browsing data of the victim from a comprehensive list of 10,000 websites. What the threat actors do is, they automatically redirect the victim to a page which contains affiliate links that are advertised as part of the URL.

It is the operators of the malicious extensions who will generate a commission on every sale made on the site once the affiliate tags are appended to the URL.

Powerful C&C

It is possible that Dormant Colors’ operators may achieve far more detrimental things than hijacking affiliations using these same stealthy malicious techniques.

Not only that, but threat actors also get the ability to redirect victims to fake websites with malicious scripts that steal the credentials of the following services:-

  • Microsoft 365
  • Google Workspace
  • Banking
  • Social media accounts

Despite this, neither of these campaigns seems to be performing any malicious activities since there is no indication that they are.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago