On Wednesday August the 2nd we saw that the two popular Chrome extensions Web Developer and Copyfish had been hijacked. Attackers added malicious code to the extensions which is used to inject ads into websites the user visits and could possibly also collect sensitive data from the user.
As security enthusiasts at TransIP, we decided to take a look at the code that was added to the Web Developer extension. We found that the code acts as a stager which downloads a JavaScript file from a URL in the following format: wd + md5(d-m-yyyy) + .win/ga.js
Thus, each day the domain where the malicious JavaScript file is hosted changes. We also found that the domains generated for 4-8-2017 and onwards had not been claimed yet. As we want to do our part to make the internet a safer place, we decided to purchase the URLs for enough future days to make sure that the file can't do any more harm until users have updated it. We will make sure the URL results in a 404 so no more malicious files are loaded by the affected versions of the extension.