If you use Google Chrome, you might have the “Better History” extension installed. If you do, and you’ve upgraded it recently, you’ve probably seen a large influx of advertising on your screen. Yes, you guessed it, hackers have found yet another avenue of attack, this time, co-opting browser extensions.
In this particular case, the browser extension was legitimate, and actually served a useful function, enabling users who installed it to organize and track the pages they visit, so they could more easily get back to a page they’d visited sometime earlier.
Unfortunately, the person who initially developed the extension sold it to an unnamed party. That party modified the extension itself, but did not modify the files on the GitHub repository, making it appear that the extension was unchanged.
One of the scripts added was called “common.js” which intercepted a user-entered URL, redirecting to a page filled with advertising, for which the extension’s new owners received compensation. In addition to that, the page users were redirected to allow unwilling visitors to be tracked further, providing valuable information to the extension’s new owners, which could be sold/traded/etc.
The user community has complained loudly about the issue, and since then, the Better History extension has been removed from circulation. Unfortunately, the damage does not stop there. Reddit user “Scarazer” reports that the same code (“common.js”) can be found on numerous other Chrome extension, including 4chan Plus, Chrome Currency Converter, Hide My Adblocker, User-Agent Switcher, and Web Timer, indicating that the same “acquire and modify” strategy may have been more widely used than initially thought.
What’s particularly disturbing about this line of attack is the fact that most people don’t give a second thought to the installation of browser extensions, which add a variety of useful, and often essential functionality to the core program. Now, however, it appears that even these are not safe. If you have noticed a higher number of ads or have been redirected to sites you did not intend to visit, you may want to get your computer checked for these extensions or other types of infections. Feel free to reach out to our team to schedule a thorough check and cleanup.