Scammers use Chrome, Firefox extensions in widespread ad fraud campaign

Malicious browser extensions aren't new. But this one's different.
ad fraud
Browser extensions are grist for the fraud mill. (Getty Images).

Security experts at Microsoft on Thursday detailed how internet attackers are abusing some of the world’s most popular web browsers for a fraud campaign, which at its height has affected more than 30,000 devices per day.

The scammers are using malicious browser extensions— a tried and tested fraud tactic — to inject bogus advertisements into the results displayed on a search engine page. The more users who visit the fraudulent ad pages, the more money the perpetrators earn via a traffic-driven advertising program. Microsoft did not identify who was responsible for the attacks, or how much money they had netted.

The malicious campaign, which Microsoft said began in May, uses extensions on popular web browsers like Google Chrome, Mozilla Firefox, Microsoft Edge and Russian-language Yandex to reach as many internet users as possible.

“[T]he fact that this campaign utilizes a piece of malware that affects multiple browsers is an indication of how this threat type continues to be increasingly sophisticated,” Microsoft researchers said in a blog post on Thursday. “In addition, the malware maintains persistence and exfiltrates website credentials, exposing affected devices to additional risks.”


It’s an example of the ease with which a browser extension, which might appear benign to the average person, can be commandeered for malicious purposes. Web-browsing providers, like Google, have tried to crack down on the problem, though extensions continue to represent a reliable way of smuggling code onto computers.

In this campaign, the goal appears to be to make money, though surveillance has been the motive in other unrelated efforts. Researchers from Awake Security in June revealed a sweeping campaign, which amassed 33 million downloads of malicious code, that used Chrome extensions to spy on users in the oil and gas, finance and health care sectors.

The malicious software tracked by Microsoft, known as Adrozek, has been distributed by 159 different internet domains and shown up in hundreds of thousands of instances on computers across the globe. It’s the type of far-reaching hacking effort that Microsoft specializes in tracking because more than a billion devices on the planet run Microsoft software.

The code has other insidious features, including the capability to alter security settings on some browsers to give scammers more control over the browser.

Microsoft advised people who discover the Adrozek malware on their computers to reinstall their browsers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts