![]() In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms.īrowser extensions have been known as a weak point for individual security and privacy, due to their potential for misuse under the general guise of helpful applications. This is evident in recent write-ups on independent malvertising and multi-part malvertising campaigns including the below examples such as the 3VE campaign and the more recent Fake JQuery campaign. Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment. Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation. This technique, called “malvertising” has become an increasingly common infection vector in Jamila's experience, and is still hard to detect today, despite being prominent for years. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. _“We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”_** **_“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,”_ said a Google spokesperson. This allowed Google to search the entire Chrome Web Store corpus to discover and remove more than 500 related extensions. Once the report was submitted, they worked to validate the findings and went on to fingerprint the extensions. Google was receptive and responsive to the report. Through collaboration, we were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. These extensions were commonly presented as offering advertising as a service. Upon further investigation, they were found to infect users’ browsers and exfiltrate data as part of a larger campaign. ![]() Jamila contacted Duo about a variety of Chrome extensions she identified to be operating in a manner that initially seemed legitimate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |