20 Million+ Google Chrome Users Are Victims Of Malware Infected Ad Blockers

The Current Situation

It has come to light that several Google chrome ad blocker extensions may have been hacked. Five ad blocker extensions that have already been installed by over 20 million people have been identified. If you have one of the below you may have been already compromised.

  • AdRemover for Google Chrome™ (10M+ users)
  • uBlock Plus (8M+ users)
  • Adblock Pro (2M+ users)
  • HD for YouTube™ (400K+ users)
  • Webutation (30K+ users)

The following examples are simple rip-offs with some lines of code and analytics code added by the so-called “authors”. The tactic is to spam keywords in the extension description in an effort to make to the top search results.

 

 

Malicious extensions have access to everything you do on the internet and may allow its architects to obtain the information people enter into the website they visit. Such sensitive information might include passwords, web browser history, and credit card information.The malware infected extensions were discovered by developer Andrey Meshkov. He noted that the creators of the extensions used keywords in the names and descriptions to rank high in the search results, thereby increasing the potential for acquiring more users to download the malware infected ad blocker.

One of the programs ‘AdRemover’ had code hidden in the modified version of jQuery, which is a well-known JavaScript library. This then sends information regarding websites the user visited back to a remote server. The extension can then receive commands from the remote server that can be executed in the background and change the behaviour of your browser. The commands are hidden inside regular images to avoid detection. The four other ad extensions Meshkov stated, used similar methods.

This is not the first time that infected code has slipped past Google’s defenses. In October 2017, Google was forced to purge a fake Adblock extension that had been downloaded by at least 37,000 people. In addition to Chrome users, Google’s Play Store is also frequently targeted by hackers aiming to spread Android banking malware and trojans.

How It Works In Simpler Terms

  1. Malicious code is hidden inside a well-known javascript library (jQuery).
  2. This code relays information regarding the websites you visit to its server.
  3. Communication is direct to its command center remote server. These commands are hidden inside a harmless-looking image in order to avoid detection.
  4. These commands are scripts which are then executed in the privileged context (extension’s “background page”) and can control your browser behavior in any way, namely capturing and forwarding all your browsing data.
  5. The malware will most likely have a pre-populated list of websites that a user would visit.
  6. Sites could include banks, popular business/corporate websites that require staff to log in etc.
  7. When a user visits these websites, the malware infected ad blocker program will then capture all data when visiting the website, and send your captured data to its own remote server.
  8. Data will include sensitive information such as passwords, usernames, web browser history, search terms, and credit card information, in fact, anything typed on the website at the time.
  9. Furthermore, an attacker can at any time add websites or send further instructions/commands to allow new sites that are visited to do the same as above.

In essence, this is a botnet composed of browsers infected with the fake AdBlock extensions. The browser will do whatever the command center server owners request it to do.

NSI Recommendations To Protect Yourself From Malicious Extensions

  1. NSI advises to be ever vigilant when downloading software and extensions and only from companies that can be verified and trusted.
  2. Before downloading check, the author of the extension and do not download if the author can’t be verified.
  3. Look up the developer website for the extension you want, and they’ll have a link to the store where you can install it.
  4. Always be mindful of what you install on your browser as many hackers are constantly developing malware, trojans, etc and masking them within so-called legitimate extensions.
  5. If you have indeed installed one of the aforementioned extensions, please delete it immediately.

ABOUT NATIONAL SURVEILLANCE AND INTELLIGENCE

National Surveillance and Intelligence are an Australian owned Global Geopolitical Risk and Counter Intelligence Advisory Firm. NSI has an interdisciplinary team of employees and partners in strategic locations around the globe.

PROTECTION AGAINST CYBER ESPIONAGE, CYBER-ATTACKS, RANSOMWARE, INSIDER THREATS, HACKTIVISM

The world is moving at an extremely fast pace, and as such, risks to your information and business are rising. Information from you or your business is a major asset to others, especially identity thieves or competitors. Events of cyber-attack, cyber espionage, ransomware, insider threat and Hacktivism are often reported by the media. Many security-related breaches have been reported over the past 12 months and Australia is not immune to this trend. Most of these events were the result of a weakness/vulnerability in either people, technology or a process. National Surveillance and Intelligence provides specialist network, computer and information technology security consulting which is centered on risk analysis, assessment, and management of IT Security Risks.

OUR BEST IN CLASS SERVICES INCLUDE:

  • GLOBAL GEOPOLITICAL RISK ADVISORY
  • COUNTERINTELLIGENCE SERVICES
  • COMPLETE ORGANISATIONAL SECURITY RISK AUDITING
  • TECHNICAL SURVEILLANCE COUNTER MEASURES
  • DIGITAL FORENSIC AND CORPORATE INVESTIGATIONS
  • CYBER COUNTERMEASURES
  • GLOBAL IMMEDIATE RESPONSE TEAMS

Our experts have provided consultation, and have been interviewed numerous times by major media outlets such as:

  • CHANNEL 7 NEWS
  • THE SYDNEY MORNING HERALD
  • 60 MINUTES
  • THE DAILY TELEGRAPH
  • TODAY TONIGHT
  • ABC RADIO
  • A CURRENT AFFAIR
  • SKY BUSINESS NEWS
  • XINHUA NEWS CHINA

NSI is called upon for its expertise by corporations in the Mining, Oil and Gas industries, Financial Institutions, Insurance companies, Law and Accounting firms, Government agencies and High Net-Worth individuals. Our services are available globally with local offices in Sydney, Canberra, Dubai, and Hong Kong. To book a confidential consultation, feel free to contact our team.