The initial investigation started after they noticed an unusual traffic flow in one of their client workstation, it appears like attackers use the extensions to conduct click fraud for generating more revenue or for SEO purpose.
Four Malicious Chrome Extensions
Change HTTP Request Header
Nyoogle – Custom Logo for Google and Lite Bookmarks
Like Change HTTP Request Header, Nyoogle and Lite Bookmarks utilize a similar mix of allowing ‘unsafe-eval’ through the CSP with periodical configuration
Stickies – Chrome’s Post-it Notes
Chrome Extensions continue to get compromised, the initial compromise on Aug1, attackers used Copyfish extension to spread spam. Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.
Chrome announced site isolation with Chrome 63 which allows each website to have a dedicated process isolated from other sites, allows to Whitelist or Blacklist specific extensions.