A malvertizing campaign spreading invasive browser extensions has managed to rack up over a million installs. The cybercriminals have released 30 different variants of these extensions, spread across the Chrome and Edge Web stores. All of the extensions are presented as tools, offering users the ability to customize the color schemes on visited websites and contain the word 'color' as part of their names - Mega Colors, Colors Scale, Border Colors, and many more. The entire campaign was named 'Dormant Colors' by cybersecurity researchers that released a detailed report about it.
Users are lured to the intrusive extensions by first visiting a dubious website that supposedly provides video content or files for download. Instead, visitors will see advertisements for or will be redirected to a different site, claiming that they must first install a browser extension to continue. By agreeing with the presented prompts, users will accept the installation of one of the 'colors' browser extensions.
When the extension is activated on the system, it will begin redirecting users to additional pages carrying the ability to side-load corrupted scripts. This way, the extension will receive instructions on how to proceed with its search hijacking and on what specific sites to inject affiliate links. In practice, when users initiate a search, their search query will be hijacked, and they will be presented with results containing sites affiliated with the operators of the PUP (Potentially Unwanted Program), generating profits for them via ad impressions or the potential sale of search data.
Exploiting Affiliate Programs
The browser extensions of the Dormant Colors campaign can intercept users' browsing and automatically lead them to a page from an extensive list of 10, 000 websites that will have affiliated links appended to their URL. Afterward, any purchases made on the visited page also will generate money for the fraudsters, due to the included affiliated tag.
Cybersecurity researchers warn that the operators of Dormant Colors could easily start performing far more threatening actions. By using the same compromised code side-loading technique, they could redirect victims to dedicated phishing pages posing as legitimate domains or login portals. The fake sites could ask users to provide sensitive information that could then become available to the fraudsters. Victims risk having their account credentials for important applications - Microsoft 365, banks, Google Workspace, or social media platforms compromised.