www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree
Submission: On October 22 via manual from IN — Scanned from DE
Submission: On October 22 via manual from IN — Scanned from DE
Form analysis 3 forms found in the DOM
/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form><form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="1963364397.1666421189">
</form><form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight Threat actor goes on a Chrome extension hijacking spree THREAT ACTOR GOES ON A CHROME EXTENSION HIJACKING SPREE Share with your network! Facebook Twitter LinkedIn Email App August 14, 2017 Kafeine Overview Chrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier posting of content on social media to integrated developer tools. At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft. We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12] were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June. Analysis On August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure 1). Figure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension We retrieved the compromised version and isolated the injected code. Figure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised Figure 3: Snippet of the inserted code in content.js from the compromised version of Web Developer 0.4.9 In general terms, the compromised extension first checks to ensure that the Chrome Extension has been installed for 10 minutes using the following line of code: if ((Date.now() - installed) > 10 * 60 * 1000) Before proceeding with the rest of the extension code, compromised components of the extension retrieve a remote file, ga.js, over HTTPS from a server whose domain is generated via a domain generation algorithm (DGA): var date = new Date(); var day = date.getUTCDate(); var month = date.getUTCMonth() + 1; var year = date.getUTCFullYear(); var hour = date.getUTCHours(); var d = day + '-' + month + '-' + year; var hash = "wd" + md5(d) + ".win"; On August 2, for example, the network request was: https://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js. At that time, the file was served by Cloudflare. The day after, the network request was: https://wd8a2b7d68f1c7c7f34381dc1a198465b4[.]win/ga.js Figure 4: Step 1 remote ga.js code called by the victim’s browser using the compromised extension - retrieved August 3, 2017 Figure 5: Array contained in the ga.js after unescaping; note that Cloudflare immediately removed the domains when we notified them of the malicious activity The code from this first step allows the threat actors to conditionally call additional scripts including some to harvest Cloudflare credentials: Figure 6: Conditionally called Step 2 script allowing the actor to grab and exfiltrate Cloudflare credentials after the victim’s login At step 2, several other scripts can be called (Figure 7): Figure 7: Some of the calls generated by the injected ga.js As shown in Figure 8, the compromised version of the extension attempts to substitute ads on the victim’s browser, hijacking traffic from legitimate advertising networks. Figure 8: Sample of strings that trigger a substitution attempt (from 973820_BNX.js?rev=133) While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites (Figure 9). Figure 9: Code snippet demonstrating the extensive effort involved in properly substituting advertisements in adult websites; retrieved on August 3, 2017 from 973820_BNX.js?rev=133 Figure 10 shows several additional triggers for advertising substitutions, again on adult websites and particular advertising networks: Figure 10: Other substitution triggers (695529_BNX.js?rev=144) The advertising substitutions work for a specific set of 33 common banner sizes including 468x60, 728x90, and many more spanning numerous aspect ratios (Figure 11). Figure 11: Banner formats handled by the compromised extension based on a version retrieved on August 3, 2017 rom 973820_BNX.js?rev=133 The advertising calls themselves specify the substituted banner format. For example, one particular ad call read: b.partner-net[.]men/code/x/b/?pid=973820&adu=0&s=468x60 In many cases, victims were presented with fake JavaScript alerts prompting them to “repair” their PC then redirecting them to affiliate programs from which the threat actors could profit. Figure 12 shows a malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used. Figure 12: Chain to affiliate program from a fake JavaScript alert The code generating the fake alert page is shown in Figure 13: Figure 13: Code generating the fake JavaScript alert Figure 14: One of the affiliate programs receiving the hijacked traffic Figure 15: Another affiliate program receiving the hijacked traffic. The popup alerts were also reported in May with the “Infinity New Tab” compromise. The involved code in that compromised extension [5] is almost identical, but the DGA was slightly different: var day = date.getDate(); var month = date.getMonth() + 1; var year = date.getFullYear(); var d = month + '/' + year; var tds_url = 'http://' + md5(d) + '.pro/tds.php?subid=ce'; The same malicious activity was also reported in some fake EU Cookie-Consent alerts [6] (Figure 16). The server involved in those cases, browser-updates[.]info, is the same as the one used in the “Infinity New Tab” case and most likely is an old front for the same backend as redirect2[.]top and loading[.]website. While those details are outside the scope of this blog, it is worth noting that examining these activities allows us to trace them back to @BartBlaze’s post from July 2016 [7]: Figure 16: One of the servers currently used by this group to publish a trapped cookie-consent JavaScript script Figures 17-19 show that this activity is able to generate substantial traffic: Figure 17: Alexa report on browser-update[.]info Figure 18: Similarweb report on searchtab[.]win Figure 19: Alexa report on partner-net[.]men The Phishing Our colleagues at Phishme have already examined the credential phishing that originally allowed the actors to compromise the extensions [3]; the Web Developer extension case was almost identical: Figure 20: Screenshot of the email used to harvest extension coder credentials Conclusion Threat actors continue to look for new ways to drive traffic to affiliate programs [13] and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks. Acknowledgements We would like to thank Cloudflare for their immediate action upon notification of malicious activity using their hosting service. We would also like to thank Chris Pederick (author of the Web Developer extension) for sharing data tied to the phishing and how he and the CopyFish author transparently handled the incidents. References [1] https://twitter.com/chrispederick/status/892768218162487300 [2] http://chrispederick.com/blog/web-developer-for-chrome-compromised/ [3] https://phishme.com/even-smart-ones-fall-phishing/ [4] https://www.centbrowser.com/forum/printthread.php?tid=1394&page=2 [5] https://pastebin.com/pHf7EHRG [6] http://divbits.com/joomla-hacked-pop-message/ [7] https://bartblaze.blogspot.co.uk/2016/07/eu-cookie-law-and-fake-chrome-extensions.html [8] http://infinitynewtab.com/notice.html [9] https://a9t9.com/blog/chrome-extension-adware/ [10] https://pastebin.com/pHf7EHRG [11] https://gist.github.com/FelixWolf/066fd5ca2672f15089e7712827140bd9 [12] https://www.facebook.com/socialfixer/posts/10155117415829342 [13] https://www.proofpoint.com/us/threat-insight/post/pyramid-schemes-go-high-tech-affiliate-spam-and-malware-affiliates Indicators of Compromise IOCs Comment click.rdr11[.]top|31.186.103.146 Server used for Phishing CopyFish Free Extension - 2017-07-28 chromedevelopment[.]site|31.186.103.147 Server used for Phishing Google Accounts from Extensions Developers - 2017-08 login.chromeextensions[.]info|31.186.103.149 Server used for Phishing Google Accounts from Extensions Developers chromeextensions[.]info|31.186.103.149 Server used for Phishing Google Accounts from Extensions Developers wd8a2b7d68f1c7c7f34381dc1a198465b4[.]win|104.131.30.88 Injection server (ga.js) - 2017-08-03 wd7bdb20e4d622f6569f3e8503138c859d[.]win|104.131.30.88 Injection server (ga.js) - 2017-08-02 loading[.]website|162.255.119.12 Server used for js alert in August 2017 searchtab[.]win|104.131.67.58 Server used for creds exfiltration redirect2[.]top|104.131.67.58 Server used for creds exfiltration browser-updates[.]info|198.54.117.212 Server used for js alert and creds exfiltration in may 2017 (both in fake EU Cookie Consent and Chrometana and Infinity New Tab compromission) browser-updates[.]info/firebase_subscribe.js Js used to exfiltrate Firebase credential. Similar JS was injected directly in Chrometana imagetwist[.]info|174.138.62.139 Server used for creds ( from imagetwist) exfiltration https://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js js called by content - wd+md5(2-8-2017).win http://searchtab[.]win/ga.js js conditionally loaded as 2nd step http://redirect2[.]top/ga.js js conditionally loaded as 2nd step http://partner-net[.]men/code/pid/linkcheck.js?rev=133 js conditionally loaded as 3rd step https://f.partnerwork[.]men/code/code/index_4.php php conditionally loaded as 3rd step https://f.partnerwork[.]men/code/code/mss_3.js 4th step https://y.partnerwork[.]men/code/code/index_3.php 5th step http://partner-net[.]men/code/pid/973820_BNX.js?rev=133 Js called as 2nd step performing most the ad injection/substitution http://partner-net[.]men/code/?pid=973820&r= Js conditionally called as 2nd step login.chromedevelopment[.]site|31.186.103.147 Server used for Phishing Google Accounts from Extensions Developers - 2017-08 y.partnerwork[.]men|185.147.15.35 Server used for ads insertion f.partnerwork[.]men|185.147.15.37 Server used for ads insertion f.partnerwork[.]men|185.147.15.37 Server used for ads insertion partner-net[.]men|95.211.68.187 Server used for ads insertion partner-net[.]men|95.211.68.186 Server used for ads insertion b.partner-net[.]men| Server used for ads insertion http://land.pckeeper[.]software/land/7.13.222/index.php?affid=mzb_251.563088.1501708560.18.mzb&utm_source=prfl&utm_medium=cps&utm_campaign=pck_prfl_cps_ww_713&utm_term=&utm_content=&userDefiner=mzb_2424&trt=33_1641011700&tid_ext=1451151054 PCKepper Affiliate program URI involved in the chain http://land.pckeeper[.]software/land/7.13.222/index.php?affid=mzb_281.2294418.1495859377.18.mzb&utm_source=maxb&utm_medium=cps&utm_campaign=pck_maxb_cps_eu2_713&utm_term=&utm_content=&userDefiner=mzb_2424&trt=33_1638077&tid_ext=pck_maxb_cps_us_eu2_sale PCKepper Affiliate program URI involved in the chain http://wlp.cleanmypc[.]online/mxbt1/?x-context=496906380&utm_source=mxapcfx5&utm_campaign=mxapcfx5&pxl=MXA2240_MXA2193_RUNT&utm_pubid=56754&x-at=XXXXX&override=1 CleanMyPC Affiliate program URI involved in the chain cookie-policy[.]org|45.55.128.61 EU-Cookie Script servers cdn2[.]info|45.55.128.61 EU-Cookie Script servers cdn8[.]info|45.55.128.61 EU-Cookie Script servers cdn.cookiescript[.]info|52.222.226.223 Server used for EU-Cookie 2017-07 cdn.front[.]to|162.243.105.107 Server used for EU-Cookie 2016-06 - 302 to cdn.cookiescript[.info 2017-08-02 UA-103045553-1 Google Analytics UA used in scripts injected in compromised extensions 283599517713 Firebase messagingSenderId used in the script to gather credentials ganalytics[.]win|104.131.30.88 Old domain used of the injected ga.js 92fffe0ba52da491a2b7576627f3693a[.]pro Domain used in may in the Infinity New Tab compromission - md5(5/2017) 7ce508e6099e31f68c2fd50c362f087d[.]pro Domain used in may in the Infinity New Tab compromission - md5(6/2017) partner-print[.]men|185.147.15.39 Server used for ads insertion extstat[.]com|185.147.15.39 Server used for ads insertion Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap