Another round of click-fraud extensions pulled from Chrome Store

A security researcher has claimed that a cumulative half a million Chrome users have been hit by four malicious browser extensions pushing click and SEO fraud.

Icebrg's Justin Warner and Mario De Tore spotted the extensions while investigating a spike in outbound traffic from a workstation in a customer's network. The company claims the four extensions had more than 500,000 downloads in all.

The extensions were Change HTTP Request Header (a legitimate capability is to hide browser type from trackers) and three apparently related to it: Nyoogle - Custom Logo for Google, Lite Bookmarks, and Stickies - Chrome's Post-it Notes.

Change HTTP Request Header didn't contain malicious code, the post stated. Rather, it downloaded “a JSON blob from ‘change-request[.]info’”, and that blob pushed a configuration update, after which obfuscated JavaScript was fetched from the control domain.

“Once injected, the malicious JavaScript establishes a WebSocket tunnel with ‘change-request[.]info’. The extension then utilises this WebSocket to proxy browsing traffic via the victim’s browser”, the post said, and that was how the click-fraud was launched.

A possible second use of the proxy would be to browse a company's internal network, for information that could be sent back to the control domain.

The three related extensions used similar techniques to inject unsafe JavaScript, Icebrg's analysts believe. The “Stickies” app went one step further, trying “to obfuscate its ability to retrieve external JavaScript for injection by modifying its included jQuery library”.

Google has removed the extensions from the Chrome Store. ®