Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store.

Browser extensions are used for customizing web browsers, modifying user interfaces, blocking ads and managing cookies. But researchers said that the malicious extensions they discovered are instead part of a massive malvertising campaign that also harvested browser data. Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages.

Researchers believe that the actor behind this campaign was active since January 2019, with  activity escalating between March and June. After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Google’s Chrome Web Store, and the source code of the extensions are all nearly identical.

Once downloaded, the extensions would connect the browser clients to a command-and-control (C2) server and then exfiltrate private browsing data without the users’ knowledge, researchers said.

The extension would also redirect browsers to various domains with advertising streams. While a large portion of these ad streams were actually benign (leading to ads for Macy’s, Dell or Best Buy), these legitimate ad streams were coupled with malicious ad streams that redirected users to malware and phishing landing pages.

The campaign highlights various security issues that browser extensions can introduce, researchers said. In 2017, a malicious Google Chrome extension being spread in phishing emails stole any data posted online by victims. In 2018, four malicious extensions were discovered in the official Google Chrome Web Store with a combined user count of more than 500,000. And, in January, the Google Chrome and Mozilla Firefox teams cracked down on web browser extensions that stole user data and executed remote code, among other bad actions.