More than 500 Chrome extensions with millions downloads from Google’s Chrome Web Store were found to infect users’ browsers and exfiltrate data to attacker-controlled servers. These extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019, according to a joint report from independent researcher Jamila Kaya and Cisco-owned Duo Security.

During the research, the experts uncovered 70 Chrome Extensions with over 1.7 million installations and presented their findings to Google, which, in turn, conducted its own investigation and identified 430 more malicious browser extensions. All of the offending plugins have since been removed from Chrome Web Store.

“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms,” the researchers wrote.

The extensions came as tools that provided promotions and advertising services. All of them had near-identical source code, but differed in the names of functions and the “level of permissions requested on each plugin is similarly high and is identical between them, allowing it to access a large amount of data in the browser.”

The extensions periodically connected to a domain with the same name as a plugin (e.g.: Mapstrek[.]com or ArcadeYum[.]com) to check for instructions on whether to uninstall themselves from the browser. The plugins then redirected browsers to a hard-coded C2 domain (DTSINCEcom) for further instructions, to receive locations to upload data, advertisement feed lists and the list of redirect domains.

“A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy. What differentiates it as malvertising and ad fraud rather than legitimate advertising is the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing,” the report said. 

The researchers said that the campaign has been in operation for at least eight months – since January 2019 – growing rapidly (especially from March through June of 2019) with dozens of new variant plugins released and new domains and infrastructure being stood up monthly. However, based on some evidence, specifically, the creation date of the instruction domains (June 23, 2017), the researchers believe that the campaign may have been active since 2017.