Over half a million users worldwide ended up infected by four Chrome extensions, researchers said.
The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, according to ICEBRG, a network security analytics company that offers a SaaS capability.
Researchers found the malicious extensions after finding an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG said in a post.
The HTTP traffic was associated with the domain ‘change-request[.]info’ and ended up generated from a Chrome extension named Change HTTP Request Header.
What ICEBRG researchers found was the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.