This has been discovered by researchers at Guardio Labs, and reported by Bleeping Computer. The campaign was named “Dormant Colors”, by the way.
Chrome extensions with over 1 million installs hijack searches
That being said, by mid-October 2022, 30 variants of browser extensions were available on both Chrome and Edge web stores. Together, they were installed over 1 million times. You can check out a full list of add-ons below.
How did the infection start? Well, “with advertisements or redirects when visiting web pages that offer a video or download”, says Bleeping Computer. When a user attempted to download a program, or watch a video, he would be redirected to another site, that would bring up the installation of a Chrome/Edge extension. Were you to click ‘OK’ and ‘Continue’, you’d be prompted to install one of the color-changing extensions listed in the image above. Once installed, those extensions basically redirected users to various pages that side-load malicious scripts. Those scripts would push those extensions to perform search hijacking, and instruct them on what sites to insert affiliate links. “The first one dynamically creates elements on the page while trying desperately to obfuscate the JavaScript API calls”, says the Guardio report. The report also added the following: “Both of those HTML elements (colorstylecsse and colorrgbstylesre) include content (InnerText) that for the first is a ‘#’ separated list of strings and regexes and the last is a comma-separated list of 10k+ domains. To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup”.
The developer would generate income from ad impressions, sale of search data, and affiliate links
Once it does its thing, the extension redirects search queries to return results from sites affiliated with the extension’s developer. Therefore, it would generate income from ad impressions and the sale of search data. On top of that, once the affiliate tags are appended to the URL, the developers would also get a commission from sales, thanks to those affiliate links.