This malvertising campaign has hit over a million Google Chrome users

A major malvertising campaign has been discovered hijacking people’s internet searches, and adding affiliate links to websites. 

According to the researchers that spotted the campaign, the developers generate plenty of income through affiliate commissions and search data sales. 

Experts from Guardio Labs recently discovered as many as 30 browser extensions for both Chrome and Edge, active since at least mid-October 2020, and having been downloaded more than a million times. 

Dormant Colors

When victims visit different sites offering video downloading services, they’re first forced to download the extension, in order to continue with the download, the researchers found.

The extension offers color customization options and comes with no malicious code, it was said, allowing it to pass antivirus scans. This is also why the researchers decided to dub the campaign “Dormant Colors”. However, after installation, the extension will redirect the user to a webpage that side-loads malicious scripts that tell the extension how to hijack search results and add affiliate links. 

The extension would be instructed to return search results for queries from sites affiliated with the developers, that way generating income from ad impressions and search data sales. 

What’s more, it comes with a redirect list of roughly 10,000 websites. Should the victim try to visit any of those sites, they would be redirected to it – but through a link with an affiliate link. As a result, any purchase made on those sites would earn the developers commission. 

While the campaign might come off as a nuisance, it’s not exactly damaging to the victims and doesn’t steal money directly from their pockets. However, researchers are warning that the same methodology could be used to steal sensitive information, or login credentials, from the targets. 

By redirecting the users to a phishing site, the attackers could obtain Microsoft 365 or Google Workspace passwords, and details from banking sites, or social media platforms.

Via: BleepingComputer