More than 500 browser extensions downloaded millions of times from Google’s Chrome Web Store surreptitiously uploaded private browsing data to attacker-controlled servers, researchers said on Thursday.

The extensions were part of a long-running malvertising and ad-fraud scheme that was discovered by independent researcher Jamila Kaya. She and researchers from Cisco-owned Duo Security eventually identified 71 Chrome Web Store extensions that had more than 1.7 million installations. After the researchers privately reported their findings to Google, the company identified more than 430 additional extensions. Google has since removed all known extensions.

“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” Kaya and Duo Security researcher Jacob Rickerd wrote in a report. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

A maze of redirects, malware, and more

The extensions were mostly presented as tools that provided various promotion- and advertising-as-a service utilities. In fact, they engaged in ad fraud and malvertising by shuffling infected browsers through a maze of sketchy domains. Each plugin first connected to a domain that used the same name as the plugin (e.g.: Mapstrek[.]com or ArcadeYum[.]com) to check for instructions on whether to uninstall themselves.

The plugins then redirected browsers to one of a handful of hard-coded control servers to receive additional instructions, locations to upload data, advertisement feed lists, and domains for future redirects. Infected browsers then uploaded user data, updated plugin configurations, and flowed through a stream of site redirections.

Thursday’s report continued:

The user regularly receives new redirector domains, as they are created in batches, with multiple of the earlier domains being created on the same day and hour. They all operate in the same way, receiving the signal from the host and then sending them to a series of ad streams, and subsequently to legitimate and illegitimate ads. Some of these are listed in the “End domains” section of the IOCs, though they are too numerous to list.

Many of the redirections led to benign ads for products from Macy’s, Dell, and Best Buy. What made the scheme malicious and fraudulent was (a) the large volume of ad content (as many as 30 redirects in some cases), (b) the deliberate concealment of most ads from end users, and (c) the use of the ad redirect streams to send infected browsers to malware and phishing sites. Two malware samples tied to the plugin sites were:

ARCADEYUMGAMES.exe, which reads terminal service related keys and accesses potentially sensitive information from local browsers, and

MapsTrek.exe, which has the ability to open the clipboard

All but one of the sites used in the scheme weren’t previously categorized as malicious or fraudulent by threat intelligence services. The exception was the state of Missouri, which listed DTSINCE[.]com, one of the handful of hard-coded control servers, as a phishing site.

The researchers found evidence that the campaign has been operating since at least January 2019 and grew rapidly, particularly from March through June. It’s possible the operators were active for a much longer period, possibly as early as 2017.

While each of the 500 plugins appeared to be different, all contained almost identical source code, with the exception of the function names, which were unique. Kaya discovered the malicious plugins with the help of CRXcavator, a tool for assessing the security of Chrome extensions. It was developed by Duo Security and was made freely available last year. Almost none of the plugins have any user ratings, a trait that left the researchers unsure of precisely how the extensions got installed. Google thanked the researchers for reporting their findings.

Beware of extensions

This latest discovery comes seven months after a different independent researcher documented browser extensions that lifted browsing histories from more than 4 million infected machines . While the vast majority of installations affected Chrome users, some Firefox users also got swept up. Nacho Analytics , the company that aggregated the data and openly sold it, shut down following the Ars coverage of the operation.

Thursday’s report has a list of 71 malicious extensions, along with their associated domains. Following a long practice, Google didn’t identify any of the extensions or domains it found in its own investigation. Computers that had one of the plugins received a popup notification that said it had been "automatically disabled." People who followed a link got a red warning that said: "This extension contains malware."

The discovery of more malicious and fraudulent browser extensions is a reminder that people should be cautious when installing these tools and use them only when they provide true benefit. It’s always a good idea to read user reviews to check for reports of suspicious behavior. People should regularly check for extensions they don’t recognize or haven’t used recently and remove them.

Post updated to describe the notification provided by Google.