Extensions for Google’s Chrome browser have to work within certain restrictions, but that hasn’t stopped people from sneaking in malicious features. Researchers from security firm ICEBRG report finding a cluster of scam extensions in the Google Web Store with a combined download figure of more than 500,000. Google has removed the extensions, but the creators of these extensions probably still made a mountain of cash from the scheme.
According to ICEBRG, it first became aware of the dangerous extensions after finding a suspicious spike in outbound network traffic on a client’s machine. The team tracked that to an extension called Change HTTP Request Header running a hidden a click-fraud package. As the user goes about his or her business, the extension reaches out to a control server to generate money by clicking ads. The control server actually uses the victim’s computer as a proxy to make it look like a person is clicking the ads and affiliate links that benefit the extension owners. That’s why the extensions generate so much suspicious outbound traffic.
ICEBRG eventually found three more extensions doing the same thing: Nyoogle, Stickies, and Lite Bookmarks. Of the extensions found, Nyoogle had by far the most downloads at more than 500,000 (it promised custom Google logos). The others, including the extension that tipped off ICEBRG, were very small by comparison.