The two-month-long investigation was carried out by independent security researcher Jamila Kaya and Cisco’s Duo Security team who shared the findings with ZDNet. According to Duo, the malware campaign is “a large-scale campaign of copycat Chrome extensions that infected users’ browsers.” The researchers found that the malware operation had been active for at least two years with potential activity dating back to the early 2010s. They also identified 70 Chrome Web Store extensions that were installed by over 1.7 million users. Kaya, the person responsible for unearthing the operation, made use of CRXcavator, a service for analyzing Chrome extensions, for the initial findings. She initially discovered a cluster of extensions that run on top of a nearly identical codebase. Later, Kaya teamed up with other Duo researchers to find out more evidence. The malicious code injected by the extensions was set to activate under certain conditions and redirect users to specific sites to steal their private data without the user’s knowledge. The plugins then redirected browsers to hard-coded control servers to access additional instructions, advertisement feed lists, locations to upload data, and domains for future malvertising. At times, extensions would not only lead users to legitimate sites such as Macy’s, Dell or BestBuy through affiliate links but also navigate them to known malware download sites or phishing pages. “In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” Kaya and Duo Security Jacob Rickerd wrote in a blog post. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the user’s knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.” The researchers privately reported their findings to Google after which the search giant carried its own investigation. The company searched the entire Chrome Web Store corpus and removed more than 500 related extensions. Google also deactivated the extensions inside every users’ browsers and marked them as “malicious” to let users know to delete it and not reactivate it. “We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,” said a Google spokesperson. “We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.” Duo has published a summary of the malicious extensions that were part of the malvertising scheme. The security firm recommends users to regularly audit the extensions installed on their browser and remove extensions they don’t recognize or haven’t used recently. “As part of good security hygiene, we recommend users regularly audit what extensions they have installed, remove ones they no longer use and report ones they do not recognize. Being more mindful and having access to more easily accessible information on extensions can help keep both enterprises and users safe,” Duo Security said.