500+ malvertising Google Chrome extensions disabled, removed from Web Store

Harmful malvertising Google Chrome Extensions were active over at least eight months. The extensions redirected millions of users to malicious sites, including to affiliate links or a GDPR announcement site in an apparent attempt to misdirect investigations and appear legitimate.

Malicious ads. Security researcher Jamila Kaya and Cisco’s Duo Security team identified the group of extensions. When a user installs any one of the 500+ extensions, a network of downstream malware sites will act in concert for a command and control scenario to redirect in such a way as to masquerade as ordinary, but intrusive, looking ads.

“The user’s host regularly checks in at an asynchronous interval to the other domains to receive new instructions, locations to upload data, and new domain and feed lists for advertisements and future redirects.”

Jamila Kaya and Jacob Rickerd (Duo.com)

Google response. The researchers alerted Google of the problem, and together, they reached a high confidence level that all rogue extensions were disabled for current installs. Chrome users with any of these extensions will see them marked as malware as a prompt to uninstall, locally.

Presumably, the downstream domains have been added to a shared list of security hazard websites and removed from Google’s search index.

Tightening security requirements. Google had already begun to tamp down its privacy policy and data handling requirements as a direct consequence of this breach once the researchers alerted them late last year. During the interim, they were able to confirm the finding and discover over 500 instances of the malware extensions by seeking a signature code “fingerprint” discovered Kaya.

What Kaya discovered was the various extensions all carelessly shared much the same source code, only with function names switched out in order to appear different enough to slip through Google’s automated duplicate detection system, and allowing them to publish the volume of extensions to the Web Store.

Why we care. As marketers, we need to know that security requirements governing the storage of data will continue to increase as Google’s new requirements outline. Additionally, we should be concerned that our reputation suffers when breaches occur and bad advertising gives millions of users bad experiences.

About The Author

Detlef Johnson

Detlef Johnson is the SEO for Developers Expert for Search Engine Land and SMX. He is also a member of the programming team for SMX events and writes the SEO for Developers series on Search Engine Land. Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 20 years ago. Since then he has worked for major search engine technology providers, managed programming and marketing teams for Chicago Tribune, and consulted for numerous entities including Fortune 500 companies. Detlef has a strong understanding of Technical SEO and a passion for Web programming.