500+ malvertising Google Chrome extensions disabled, removed from Web Store

Google was able to confirm the finding and discovered over 500 instances of the malware by seeking a "fingerprint" by security researcher Jamila Kaya.

on February 14, 2020 at 3:14 pm | Reading time: 2 minutes
Chat with MarTechBot

Harmful malvertising Google Chrome Extensions were active over at least eight months. The extensions redirected millions of users to malicious sites, including to affiliate links or a GDPR announcement site in an apparent attempt to misdirect investigations and appear legitimate.

Malicious ads. Security researcher Jamila Kaya and Cisco’s Duo Security team identified the group of extensions. When a user installs any one of the 500+ extensions, a network of downstream malware sites will act in concert for a command and control scenario to redirect in such a way as to masquerade as ordinary, but intrusive, looking ads.

“The user’s host regularly checks in at an asynchronous interval to the other domains to receive new instructions, locations to upload data, and new domain and feed lists for advertisements and future redirects.”

Jamila Kaya and Jacob Rickerd (Duo.com)

Google response. The researchers alerted Google of the problem, and together, they reached a high confidence level that all rogue extensions were disabled for current installs. Chrome users with any of these extensions will see them marked as malware as a prompt to uninstall, locally.

Presumably, the downstream domains have been added to a shared list of security hazard websites and removed from Google’s search index.

Tightening security requirements. Google had already begun to tamp down its privacy policy and data handling requirements as a direct consequence of this breach once the researchers alerted them late last year. During the interim, they were able to confirm the finding and discover over 500 instances of the malware extensions by seeking a signature code “fingerprint” discovered Kaya.

What Kaya discovered was the various extensions all carelessly shared much the same source code, only with function names switched out in order to appear different enough to slip through Google’s automated duplicate detection system, and allowing them to publish the volume of extensions to the Web Store.

Why we care. As marketers, we need to know that security requirements governing the storage of data will continue to increase as Google’s new requirements outline. Additionally, we should be concerned that our reputation suffers when breaches occur and bad advertising gives millions of users bad experiences.

Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.

Add MarTech to your Google News feed.    Google News

Related stories

New on MarTech

About the author

Detlef Johnson
Contributor
Detlef Johnson is the SEO for Developers Expert for Search Engine Land and SMX. He is also a member of the programming team for SMX events and writes the SEO for Developers series on Search Engine Land. Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 20 years ago. Since then he has worked for major search engine technology providers, managed programming and marketing teams for Chicago Tribune, and consulted for numerous entities including Fortune 500 companies. Detlef has a strong understanding of Technical SEO and a passion for Web programming.

Related topics

Performance marketing

Fuel for your marketing strategy.

Topics

Our events

About

Follow us

© 2024 Third Door Media, Inc. All rights reserved.

Third Door Media, Inc. is a publisher and marketing solutions provider incorporated in Delaware, USA, with an address 88 Schoolhouse Road, PO Box 3103, Edgartown, MA 02539. Third Door Media operates business-to-business media properties and produces events. It is the publisher of MarTech.org, the leading marketing technology digital publication.