More than a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions of Users

(The AEGIS Alliance) – New details have emerged about a huge network of rogue browser extensions for Chrome and Edge that have been discovered to hijack clicks to hyperlinks in search results pages to arbitrary URLs that include phishing websites and advertisements.

Collectively referred to as “CacheFlow” by Avast, the 28 extensions in question include Instagram Story Downloader, Video Downloader for Facebook, Vimeo Video Downloader, and VK Unblock. They’ve made use of a sneaky trick that masks its true function: Leverage Cache-Control HTTP header as a covert channel to get commands from a server controlled by an attacker.

All the backdoored browser extensions were removed by Google and Microsoft as of December 18, 2020, to prevent additional users from downloading them from the official stores.

According to telemetry information gathered by the firm, the highest three contaminated countries had been Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the United States.

The CacheFlow sequence started when unsuspecting users downloaded one of the extensions for their browsers that, upon being installed, sent out analytics requests resembling Google Analytics to a remote server, which then beamed a specially-crafted Cache-Control header back that contained hidden instructions to fetch a second-stage payload that functioned as a downloader for the final JavaScript payload.

This JavaScript malware gathered a massive amount of birth dates, electronic mail addresses, geolocation data, and device activity, with a particular concentration on amassing the information from Google.

“To retrieve the birthday, CacheFlow made an XHR request to https://myaccount.google.com/birthday and parsed out the birth date from the response,” Avast researchers Jan Vojtěšek and Jan Rubín noticed.

In the final step, the payload injected one other piece of JavaScript into every tab, utilizing it to hijack clicks that lead to reputable sites, and it additionally modified search results from Google, Bing, and Yahoo to reroute the victim to a different URL.

list of chrome and edge infected browser

That’s not all. The extensions didn’t solely prevent infecting users who had been more likely to be web developers, one thing that was deduced by computing a weighted rating of the extensions installed or by checking in the event that they accessed locally-hosted websites (e.g., .dev, .local, or .localhost), they have also been configured to not exhibit any suspicious behavior in the course of the first three days after installation.

Avast mentioned the myriad tricks employed by the malware authors to avoid being detected could have been an important factor that allowed it to execute malicious code in the background and stealthily infect victims in the millions, with evidence that suggests the campaign could have been active since at the least October 2017.

“We usually trust that the extensions installed from official browser stores are safe,” the researchers stated. “But that is not always the case as we recently found.”

“CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We believe this is a new technique.”

The full list of indicators of compromise (IoCs) related to the campaign may be accessed right here.

Kyle James Lee – The AEGIS Alliance – This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

e4cf851f05262c89b5169c8bceab261f?s=130&r=pg
Kyle James Leehttps://www.theaegisalliance.com
Majority Owner of The AEGIS Alliance. I studied in college for Media Arts, Game Development. Talents include Writer/Article Writer, Graphic Design, Photoshop, Web Design and Development, Video Production, Social Media, and eCommerce.

The AEGIS Newsletter sends out after 8 articles are published during reasonable U.S. hours. May also include occasional updates about our YouTube Channel. Signup Form:

Please consider sending us a monetary contribution toward promoting important social and humans rights issues that don't show support for politicians via Crypto. We also accept PayPal and Checks by mail. Click here to Donate.

  • bitcoin Bitcoin
  • ethereum Ethereum
  • Xrp
  • litecoin Litecoin
  • stellar Stellar
  • bitcoin cash Bitcoin cash
  • dogecoin Dogecoin
  • usdcoin Usdcoin
  • aave Aave
  • uniswap Uniswap
  • wrappedbitcoin Wrappedbitcoin
  • eos Eos
  • cosmos Cosmos
  • tezos Tezos
  • Synthetix
  • dash Dash
  • maker Maker
  • dai Dai
  • ethereum classic Ethereum classic
  • zcash Zcash
Scan to Donate Bitcoin to 35fJFcE1xQPwt1KujXUrmKn9J8WEnm9BbM

Contribute Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x2764fe441CB5EBd9919eDAD4b2Bf70Dc2dC399Da

Contribute Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::4125838298

Contribute Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to MKVu1osxKsRSBc7U2NdgdYnyjMPanMUxx9

Contribute Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::1372392101

Contribute Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to qr9j84dx9736ultjr7ty2dcr5rl27z5m2vx0hjqw57

Contribute Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to D6FCQDbi1cenyKAyg6pWLy6gnhdRra2tXG

Contribute Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0x0D835EF9e29dDD73C380F0d6E191EABb1ff09948

Contribute Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x8B0bCAc87797F076c79875B29b8Bd0B27600E653

Contribute Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xdc3BCc8Fb024711a1a5EFA9AA03684A5eC7e1E53

Contribute Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0x751EA7C46f2c2300dBB152A8AEa15d3635c28239

Contribute Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::4148396760

Contribute Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1jzsxgx8q9hcfrqj9rp5zcmwrg036mq3293kmgy

Contribute Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Scan to Donate Tezos to tz1iJcMLYSBH3jpMGQnmHMhhyHwYbjPtGxja

Contribute Tezos to this address

Scan the QR code or copy the address below into your wallet to send some Tezos

Scan to Donate Synthetix to 0xf698dbbeEa1643Ba38E96C36AB6Bb159b243EfF1

Contribute Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XgCyxihABi2Aj9F9XEcfWuffm24jv7BXx7

Contribute Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xE595297c54804A8Ab9D28B6BEaE8883593F687aE

Contribute Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x1BB5235FDC23985AFf3DcEfB32de3272BD477669

Contribute Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x445F9E3F78c66A571179f06A478ee6f912c2E3d1

Contribute Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Scan to Donate Zcash to t1VzosYBYkWFt4s91GupLZmPQLKPtwk67zq

Contribute Zcash to this address

Scan the QR code or copy the address below into your wallet to send some Zcash


Leave A Comment

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Please consider sending us a monetary contribution toward promoting important social and humans rights issues that don't show support for politicians via Crypto. We also accept PayPal and Checks by mail. Click here to Donate.

The AEGIS Newsletter sends out after 8 articles are published during reasonable U.S. hours. May also include occasional updates about our YouTube Channel. Signup Form:

Signup for The AEGIS Alliance Newsletter!
The newsletter sends out once after eight new articles are published, during reasonable U.S. hours. Newsletters may also contain occasional updates about what's new on our YouTube.
Submit
You can unsubscribe at any time!
close-link