Malicious Chrome Extension - Injects Malware in Browsers
Significant risk — action recommended within 24-48 hours
Basically, a bad Chrome extension is stealing clicks and money from users without them knowing.
A new malicious Chrome extension, Amazing Refresh, is hijacking user clicks and monetizing traffic without consent. This poses risks to both users and website owners. Immediate action is needed to remove the extension and protect users.
What Happened
A malicious browser extension called Amazing Refresh has been uncovered, affecting visitors to various customer websites. This extension injects harmful JavaScript into web pages, hijacking outbound clicks and secretly monetizing user traffic. Notably, the extension operates without compromising the websites themselves, making it a stealthy threat.
How It Works
The extension masquerades as a simple tab auto-refresher, but its true purpose is to execute malicious scripts in the background. Each time a user navigates to a new page, the extension sends a POST request to its command and control (C&C) server, exfiltrating sensitive information like:
- Current and previous page URLs
- Window dimensions and user agent
- Element IDs on the page
- A unique client identifier linked to the user's Google Analytics profile
Signs of Infection
Users may not notice the effects immediately, but website owners can see unusual activity in their analytics. The extension can redirect clicks through affiliate networks, potentially leading users to unintended destinations. This silent hijacking raises significant concerns about trust and security.
How to Protect Yourself
To safeguard against such threats:
- Limit the use of browser extensions to trusted sources only.
- Regularly review installed extensions and remove any that seem suspicious.
- Monitor your website's traffic and analytics for unusual patterns.
- Report any suspicious extensions to browser vendors for investigation.
Impact on Website Owners
For website owners, the implications are serious. While their sites remain uncompromised, the extension's activity can lead to lost revenue and damaged reputation. Users may be redirected to unwanted sites, and the website owners may remain unaware of the ongoing exploitation.
Reporting the Malicious Extension
The extension is currently available on both Chrome and Edge. It has been reported to both browser vendors, with evidence of its malicious behavior. Given its nearly 100,000 active installs, swift action is essential to protect users and maintain the integrity of the web.
Indicators of Compromise
Here are some key indicators that may suggest the presence of this malicious extension:
- Extension Name: Amazing Refresh
- Injected Script Host: amazingrefresh.com
- C&C Server: api.amazingrefresh.com
- Affiliate Gateway: advertisingshubb.com
- Geo Lookup: meetlookup.com
For those looking for advanced threat detection, consider using tools like Report URI, which can help monitor and safeguard your website against similar threats.
🔍 How to Check If You're Affected
- 1.Check installed browser extensions for Amazing Refresh.
- 2.Monitor website analytics for unusual outbound click patterns.
- 3.Review network traffic for requests to api.amazingrefresh.com.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The stealthy nature of this extension highlights the urgent need for better monitoring of client-side scripts across all web applications.