Seven more Google Chrome extensions have been added to the list of potentially hacked programs ever since the initial hack of Copyfish at the beginning of this month.
According to a report made by the cyber security firm Proofpoint, hackers have taken over these browser extensions with the purpose of manipulating internet traffic.
How Copyfish was Hacked
There were many reports regarding the hijacking of a Google Chrome Web Store account belonging to a team of developers.
The attackers hacked the Copyfish extension and modified it for phishing purposes.
The Copyfish extension had been downloaded by more than 37,500 people from all over the world.
It was used to enable users to make use of text from images and other files like PDFs, videos, etc.
After Copyfish had been compromised, all of its users were under the threat of an attack as the hackers modified the extension to equip it with advertisement-insertion abilities.
What made this hijacking so dangerous was that the hackers moved the extension from its original account to their personal developer account, making it nearly impossible for the real developers to do anything about it.
Therefore, they could only observe as their product was being used for phishing purposes.
The attack was then traced all the way back to the end of July.
According to a statement made by a9t9 software, one of the developers received an email from the Chrome Store.
It wasn’t an authentic message sent from the official Chrome Store team, but instead a phishing email sent by the attackers.
The message asked the developers to update the Copyfish extension or risk getting booted from the store.
The developer was viewing it in HTML format and therefore was unable to spot that there was anything suspicious about it.
Once the password was entered, the attackers started sending out spam emails and various ads.
Other Extensions Suffer the Same Fate
Two days after Copyfish was hacked came reports that another popular extension, called “Web Developer,” had also been hijacked.
It had over one million users, and most of them were subjected to dozens of phishing emails and spam messages.
The owner of Web Developer, one of the most popular Google Chrome extensions, informed security experts about what had happened to this product.
Proofpoint then proceeded to investigate and discovered that more Google Chrome extensions were affected than they had previously thought.
Proofpoint has compiled a list of all the Google Chrome extensions infected so far.
As of now, the list contains Chrometana, Infinity New Tab, Copyfish, Web Paint and Social Fixer.
They also suspect that TouchVPN and Betternet VPN have also been compromised.
In all the attacks, the hackers first gained access to the developers’ accounts by sending them phishing emails to steal their credentials.
After they got obtained full control of those accounts, they took over the respective extensions and started spamming users with malicious phishing messages and ads.
All of this led to the tragic hijacking of web-based traffic as users all over the world were exposed to the malicious emails sent by the attackers.
In one specific case, the compromised extension tried to change the ads on users’ browsers.
The web traffic was hijacked from the official ad networks as users got several emails asking them to repair their PC.
According to Proofpoint, it was apparent that adult websites were specifically singled out in this process.
They focused on an unknown ad network during all this.
How the Attack Unfolded
The link then took them to various affiliate programs, which helps the hackers earn revenue.
According to Proofpoint, the various phishing emails took users to sites displaying various ads and pop ups.
It’s currently unknown whether these sites may actually harm the user by infecting their PC’s with other malicious malware and Trojans.
The hijacking of the Web Developer extension was especially unique compared to other cases, according to Proofpoint.
After being alerted to the possible infection of the extension by Pederick, the investigation was able to retrieve the infected version of the Web Developer extension.
Once they did so, they were able to isolate the code injected into the extension.
Once they analyzed the code, they found out that the hackers were retrieving a remote file from a server with an algorithm-generated domain.
The researchers are now focusing on discovering the identities of the hackers involved.
So far, it seems that they have covered their tracks exceptionally well.