Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

00. Introduction

Cisco’s Duo Security released CRXcavator, our automated Chrome extension security assessment tool, for free last year in order to reduce the risk that Chrome extensions present to organizations and to enable others to build on our research to create a safer Chrome extension ecosystem for all.

In a perfect example of the research we hoped to facilitate, security researcher Jamila Kaya (@bumblebreaches) used CRXcavator to uncover a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. Duo, Jamila, and Google worked together to ensure these extensions, and others like them, were promptly found and removed.

01. A New Campaign

Jamila contacted Duo about a variety of Chrome extensions she identified to be operating in a manner that initially seemed legitimate. Upon further investigation, they were found to infect users’ browsers and exfiltrate data as part of a larger campaign.

These extensions were commonly presented as offering advertising as a service. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and utilize CRXcavator.io to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.

Google was receptive and responsive to the report. Once the report was submitted, they worked to validate the findings and went on to fingerprint the extensions. This allowed Google to search the entire Chrome Web Store corpus to discover and remove more than 500 related extensions.

02. Malvertising on the Rise

Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector in Jamila's experience, and is still hard to detect today, despite being prominent for years.

Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation. Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment.

This is evident in recent write-ups on independent malvertising and multi-part malvertising campaigns including the below examples such as the 3VE campaign and the more recent Fake JQuery campaign.

The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms.

03. Bad Behavior

Browser extensions have been known as a weak point for individual security and privacy, due to their potential for misuse under the general guise of helpful applications.

In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms. While this research and CRXcavator's analysis in general can help us understand a lot about the architecture and operation of such malicious extensions, the question of how the extensions got to be installed on any system is not one we have the data to answer at this time.

To break down how this occurs, Jamila mapped out a few key functions of the architecture that this singular threat actor was utilizing for at least the last 1-2 years, with potential activity dating back to the early 2010’s.

Jamila then compared her findings on CRXcavator.io to take note of additional patterns. The main site is referenced via the description and is always the exact name of the plugin, just with a “.com.” No contact information or support information is explicitly listed in any of these extensions either.

The plugins have almost no ratings, and the source code of the plugins are nearly identical to each other. The only substantial differences in the source code are the names of the functions. With a much larger number than similar plugins and services, it’s likely that a single change of all the function names reduces the similarity to other plugins enough to avoid detection mechanisms.

This similarity is shown below in comparing the code between two plugins, MapsTrek Promos and CrushArcade Advertisements. The code on the left from CrushArcade references the same C2 sites but adjust to reference a “CA” network (Crush Arcade) and is under the name adapt_timetable.js, while the one on the right references “MT” (MapsTrek) and is called addition_thread.js. Here the version is seen as incredibly similar in notation — the code versioning for these plugins is always four sections in length.

The level of permissions requested on each plugin is similarly high and is identical between them, allowing it to access a large amount of data in the browser. In addition, the external sites contacted are identical between all the plugins involved, with the exception of the plugin “front” site.

Once on the users browser, the plugin will call out to the site referenced by its name, Mapstrek<dot>com, ArcadeYum<dot>com, or the like (partial list in the IOC document), and do so on regular intervals to receive instruction as to whether to uninstall or not. Sandboxes report that trying to navigate to each of the plugin sites immediately takes them to a gdprcountryrestriction<dot>com site, to which impacted users are not taken. This could indicate that the plugin is attempting to appear legitimate and obfuscate its behavior from sandboxes.

Once the impacted user’s machine makes contact with the plugin site, it will move onto the hard-coded “acctrDomains” referenced in the above code, of which there are three. Only one of these is used, and it is almost always the first in the series, DTSINCE<dot>com. These operate as command and control domains and the user’s host regularly checks in at an asynchronous interval to the other domains to receive new instructions, locations to upload data, and new domain and feed lists for advertisements and future redirects.

Above is an example of the communications that a host receives from the command sites pulled from memory on an impacted host.

Once the impacted host has the new directions, they do three or more operations: upload requested data, update config, and get sent through a redirection stream.

The upload is made to data<dot>multitext<dot>com, identified as the data exchange domain in transactions. This data exchange includes but is not limited to various usage, time, idle activity, tracking, and browser activity and statistics, sometimes in mimicry to advertising, but of course without general consent.

The app config update seems to occur either at the control domains or at dmnsg<dot>com as pulled from a settle_signal.js on an impacted host.

The primary malicious activity and ad fraud occurs through the redirection streams. Host sites owned by the actor are listed in the above screenshots, all named similarly and (almost all) hosted in AWS. General variants of words like “RandomDomain” but without the vowels, they are easily recognized as human-created words that have been obfuscated by machine operations.

The user regularly receives new redirector domains, as they are created in batches, with multiple of the earlier domains being created on the same day and hour. They all operate in the same way, receiving the signal from the host and then sending them to a series of ad streams, and subsequently to legitimate and illegitimate ads. Some of these are listed in the “End domains” section of the IOCs, though they are too numerous to list.

A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy. What differentiates it as malvertising and ad fraud rather than legitimate advertising is the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing. This is evidenced by “End Domains” sites such as sponsergift<dot>pro, usapremiumclub (and associated “usa” sites), jenrx2u<dot>com, and 3f6i9<dot>com. Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site.

Additionally, some of the malicious domains occur multiple times between disparate users and in Jamila’s research, have never been seen to occur with other plugins or ad streams. While the primary intention of the the plugin at this point is still to cycle through the redirection streams in order to generate ad revenue, users are exposed to additional risk of infection or phishing through these redirects. The volume of the redirects will oscillate from 7 to 10 to more than 30.

At this point, if the user does not regularly check their plugins, it continues to collect data and generate internal revenue on the user’s machine largely undetected.

After investigating the components owned by this actor, it appears that though the ultimate registrant is always obfuscated, they seem to actively maintain the plugin sites, control sites, and redirector sites. The upload and config sites may or may not be controlled directly by the actor, but it is worth noting they also redirect to the same gdprcountryrestriction<dot>com when run through sandboxes.

At the time of discovery, very few threat intelligence vendors have explicitly categorized any part of this infrastructure as malicious or phishing. An exception to this is the state of Missouri, which listed DTSINCE<dot>com as phishing without context at the beginning of the year.

After threat hunting with open resources, Jamila was also able to discover direct malware tied to these plugin sites, likely operating under a different design and function but for the same user. Two are directly tied to Mapstrek<dot>com and Arcadeyum<dot>com. While lacking a lot of the IOCs from the plugin architecture, they contain similarities to each other, including references to the same domains.

• Hybrid-Analysis Sandbox, Arcadeyum Malware Sample Report

• Hybrid-Analysis Sandbox, Mapstrek Malware Sample Report

Additionally, searching for these indicators through proprietary sandboxes pulled multiple instances of malware tied to the Arcadeyum site as well as to the redirector domains. Some of the hashes found here, such as “68707cfc2c7bfe721e22f681c86480c012ce7b28f442c2e0090fde95663b6f13” are classified in VirusTotal as related to the GameVance PUP software/adware.

This tie-in, as well as the plugin proliferation, suggests that potentially this actor has been operating for a while and has continued to grow while avoiding detection.

In all instances of impacted users, no trace of Gamevance or other arcade software was found or visited. This particular association may be tangential.

04. Turning Back the Clock

Based upon Jamila’s observation at the time of her research, the actor had been active for at least eight months, since January of 2019, and had grown rapidly in activity thereafter, especially from March through June of 2019 — with dozens of new variant plugins released and new domains and infrastructure being stood up monthly. It is possible that this actor has been active much longer than this, as some malware and domains associated with the traffic were registered in 2018 and 2017.

Multiple portions of the architecture to support this plugin network were created on the same day or month, with new components, such as redirector domains, released in chunks.

The instruction domains seem to have been created June 23, 2017, so that is likely the start of this particular behavior.

The redirector domains were created at various times, with multiple created in pairs or around similar times, such as:

New redirector domains were created as recently as mid-April. Recently, the redirector domains have been increasingly leased from non-AWS hosters, whereas the early domains were almost exclusively AWS hosted.

The recent domains, also with the variance, seem to have left some level of information in the registrar fields, and some of the redirector domain updated in March left non-obfuscated email addresses in the registration fields. A reverse DNS lookup indicates registrations of many potential phishing sites, but not enough investigation was done to fully attribute this.

05. CRXcavator

Duo was excited to be able to work with Jamila on these findings. Much of this data was able to be gathered using CRXcavator, Duo’s free automated Chrome extension security assessment tool.

Duo’s mission has always been to democratize security, and we felt no different about Chrome extensions. CRXcavator empowers organizations to assess potential risks an extension may pose to decide whether or not to allow it to be installed on their users’ endpoints. Browser-extension security expert or not, anyone can use CRXcavator to empower organizations of any size to stay secure. To learn more about the tool, check out the CRXcavator release blog post.

06. A Brighter Future Ahead

Google has implemented new user data privacy policy and secure handling requirements. These new guidelines require all extensions that handle user data to have a privacy policy, gain consent from the user, and only use the minimum required amount of permissions. To help with enforcement, Google has also implemented the Developer Data Protection Reward Program which will pay out bounties to people who find extensions that are violating this policy. Combined with the upcoming Manifest V3, these steps demonstrate that Google has been taking user privacy seriously and are making great strides to ensure the security of their user base.

07. Conclusion

The outcome of Jamila’s research, with collaboration from Duo and Google, demonstrates both the increasing real world risk of Chrome extensions and the utility of CRXcavator as a tool to aid researchers in finding vulnerabilities like this. Collectively, we identified 500 Chrome extensions that infected users’ browsers and were consequently removed from the Web Store. More than 1.7 million users were affected which indicates the scale at which browser extensions when used as an attack vector can impact end users. As part of good security hygiene, we recommend users regularly audit what extensions they have installed, remove ones they no longer use, and report ones they do not recognize. Being more mindful and having access to more easily accessible information on extensions can help keep both enterprises and users safe.

08. Indicator Index