Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome extensions that hijack searches and insert affiliate links into webpages.
Because all these extensions offer color customization options and arrive on the victim’s machine with no malicious code to evade detection, the analysts named the campaign “Dormant Colors.”
According to the Guardio report, by mid-October 2022, 30 variants of the browser extensions were available on both the Chrome and the Edge web stores, amassing over a million installs.
More than hijacking
The infection begins with advertisements or redirects when visiting web pages that offer a video or download.
However, when attempting to download the program or watch the video, you are redirected to another site stating you must install an extension to continue, as demonstrated below.
When the visitor clicks on the ‘OK’ or ‘Continue’ button, they are then prompted to install an innocuous-looking color-changing extension.
However, when these extensions are first installed, they will redirect users to various pages that side-load malicious scripts that instruct the extension on how to perform search hijacking and on what sites to insert affiliate links.
“Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes and the last is a comma-separated list of 10k+ domains.”
“To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup.”
When performing search hijacking, the extension will redirect search queries to return results from sites affiliated with the extension’s developer, thus generating income from ad impressions and the sale of search data.
Dormant Colors goes beyond this by also hijacking the victim’s browsing on an extensive list of 10,000 websites by automatically redirecting users to the same page but this time with affiliate links appended to the URL.
Once the affiliate tags are appended to the URL, any purchase made on the site will generate a commission for the developers.
Guardio has also shared a video demonstrating the affiliation hijacking component, shown below.
Potential for more
The researchers warn that using the same stealthy malicious code side-loading technique, the operators of Dormant Colors could achieve potentially nastier things than hijacking affiliations.
The researchers say it’s possible to redirect victims to phishing pages to steal credentials for Microsoft 365, Google Workspace, bank sites, or social media platforms.
While there are no signs that the campaigns are performing this more malicious behavior, the researchers say it could be enabled simply by side-loading additional scripts.
The extensions and the websites listed in the report’s IoCs section have been removed/taken offline, but the researchers warn that the operation is constantly renewed with new add-on names and domains.