October 25, 2022

A malvertizing campaign is being used to promote Google Chrome extensions that can hijack search queries and insert affiliate links into websites.

The malicious activity was uncovered by researchers at Guardio Labs, who said that by mid-October 2022, 30 variants of the browser extensions were available in both the Chrome and Edge web stores. These malicious browser extensions amassed over a million installations.

The infection process starts with advertisements or redirecting websites that offer a video or download. In the course of trying to download the program or watch the video, users are redirected to another website where they are asked to install an extension before they can continue.

As soon as a user clicks the ‘OK’ or ‘Continue’ button, they are prompted to install a color-changing extension. Once installed, these extensions redirect users to different pages where malicious scripts are stored that instruct the extension how to perform search hijacking. It also instruct the extension on what sites to insert affiliate links.

“The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls. Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes, and the last is a comma-separated list of 10k + domains. To finish it up, it also assigns a new URL to the location object, so you are redirected to the advertisement that finalizes this flow, as it was just another advertisement popup,” explained the Guardio report.

The researchers found that it is possible to redirect victims to phishing sites in order to steal access data for Microsoft 365, Google Workspace, bank pages or social media platforms.

They also warned that the attackers could use the same stealthy malicious code side-loading technique to carry out more malicious actions than hijacking affiliations.

The sources for this piece include an article in BleepingComputer.