Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

New information have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were being located to hijack clicks to back links in search outcomes internet pages to arbitrary URLs, together with phishing internet sites and ads.

Collectively named “CacheFlow” by Avast, the 28 extensions in query — together with Video clip Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — designed use of a sneaky trick to mask its real purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server.

All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to avoid far more end users from downloading them from the formal outlets.

password auditor

According to telemetry facts gathered by the business, the best a few infected international locations ended up Brazil, Ukraine, and France, adopted by Argentina, Spain, Russia, and the U.S.


The CacheFlow sequence began when unsuspecting buyers downloaded one particular of the extensions in their browsers that, upon set up, despatched out analytics requests resembling Google Analytics to a distant server, which then beamed again a specially-crafted Cache-Manage header that contains hidden commands to fetch a second-phase payload that functioned as a downloader for the ultimate JavaScript payload.

This JavaScript malware amassed beginning dates, e-mail addresses, geolocation, and device activity, with a specific focus on amassing the data from Google.

“To retrieve the birthday, CacheFlow built an XHR request to https://myaccount.google.com/birthday and parsed out the delivery date from the response,” Avast scientists Jan Vojtěšek and Jan Rubín noticed.

In the ultimate phase, the payload injected one more piece of JavaScript into each individual tab, utilizing it to hijack clicks foremost to genuine web sites, as perfectly as modify look for effects from Google, Bing, or Yahoo to reroute the target to a different URL.

Which is not all. The extensions not only avoided infecting people who had been probably to be world-wide-web developers — one thing that was deduced by computing a weighted rating of the extensions set up or by examining if they accessed domestically-hosted internet websites (e.g., .dev, .neighborhood, or .localhost) — they ended up also configured to not show any suspicious actions through the very first 3 days publish-set up.


Avast claimed the myriad tips used by the malware authors to escape detection may well have been a critical component that allowed it to execute destructive code in the qualifications and stealthily infect millions of victims, with evidence suggesting that the marketing campaign may possibly have been active because at the very least October 2017.

“We normally have confidence in that the extensions mounted from official browser outlets are risk-free,” the researchers claimed. “But that is not often the circumstance as we lately observed.”

“CacheFlow was notable in individual for the way that the malicious extensions would check out to disguise their command and manage targeted traffic in a covert channel employing the Cache-Manage HTTP header of their analytics requests. We think this is a new technique.”

The total listing of indicators of compromise (IoCs) involved with the marketing campaign can be accessed in this article.

Fibo Quantum