The Latest in IT Security

Search for Google Chrome leads to Compromised Chrome Plugin Forum


This morning WebsenseR ThreatSeekerR Network alerted us that if a user enters the term “Download Chrome” in Google Search, the 36th result would result in potentially malicious content being downloaded to the user’s machine.

I’ll briefly describe the attack vector in which the content is sent to the user.

Web Search

Search for “Download Chrome”:


The 36th result leads to a compromised, unofficial Google Chrome plugin Web page:


Compromised Web site

The 36th result leads to to this website:

The above site:

is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised.

One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn’t a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence.



Looking at the source code of this Web page, we see that the page redirects the user’s browser to two malicious Web sites:

1) (via JavaScript include – this is a Google AdSense typo-squatted URL!)

2) (via iframe html tag include – results in a server 503 = Service unavailable)

This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search):


Google AdSense Typo-Squatted URL

The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it’s clearly not a site owned by Google Inc.

Notice the details:

The real Google hosting server for show_ads.js is (notice the letter “l” changed out for the letter “i” in the word “syndication”).

I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further.

Websense customers are protected from these threats by ACET, our Advanced Classification Engine.

Stephan Chenette – Principal Security Researcher



Leave a reply


TUESDAY, JUNE 25, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments