New information about the recent hack that affected two VPNs and 8 Chrome applications in total has been released by the security experts at Proofpoint. The VPNs were Betternet and TouchVPN, and there is a possibility that their subscribers have experienced malicious popups and data theft when the suspected attack happened in June.
A group of researchers known as Kafeine, a part of Proofpoint team made this discovery. The exploit was relatively simple in terms that involved a phishing scheme that gave hackers control over a number of Chrome developers’ accounts. Here is a full list of all the apps that were affected:
- Web Paint 1.2.1
- Chrometana 1.1.3
- Infinity New Tab 3.12.3
- Web Developer
- Social Fixer 20.1.1
- Betternet VPN
As the researchers say, the hackers used a simple phishing technique that would redirect app developers to a fake Google account login page. On that page, their login details would be stolen and used for hackers to access the inner workings of the apps.
The news about the hack started to appear on 12th August, when one of the hacked developers, Chris Pederick used his Twitter profile to announce that his popular extension, Web Developer for Chrome has been hacked.
The researchers at Proofpoint downloaded the compromised version of the extension and tried to isolate the malicious code that has been put there by the attacker. The researchers discovered that once the compromised Chrome extension was installed, it waited ten minutes before communicating via HTTPS with a remote Command and Control server.
From there, the attackers would put an even more malicious code into the already compromised extension. The domains in question were on Cloudflare, and the researchers took the steps to take them down as soon as they got flagged by Proofpoint.
As the researchers say, most of the ad substitutions were targeted at adult websites, but there is a possibility that ads on other sites have been targeted too.
It is also possible that consumers suffered data loss due to the penetration.
As far as the users of Betternet go, they have been served adverts by the hackers, too. One Betternet user going by the handle kburton07 on the website LinusTechTips, said that he had awoken on the morning of 25 June to a barrage of adverts all over Chrome.
Other Betternet users have also come forward and reported their Chrome being flooded with strange ads, which helped the VPN provider to find out what was the problem and connect it to the extension. Betternet spokesperson confirmed the incident happening. They said that they have identified and fixed this issue the same day it occurred, on June 25.