Cyber Incident Victim: Wix.com
Date:
Apr 2016
Location:
United States of America
Summary
A botnet composed of malicious Chrome extensions targeted a website-building service, creating fraudulent accounts and auto-publishing free sites to propagate itself. The extensions injected code that spread via victims' Facebook Messenger contacts, luring recipients to install the rogue extensions through deceptive links. The attackers focused on expanding their botnet's reach but were thwarted when the service's security team detected and blocked further abuse of its infrastructure. The same threat actors later shifted tactics, hosting malicious sites on Google Drive in a subsequent campaign. Security experts highlighted the risk of attackers weaponizing legitimate extensions via vulnerabilities like cross-site scripting flaws, which could grant persistent browser control.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2016, Wix.com experienced a significant cyberattack involving a botnet composed of malicious Chrome extensions. The attackers infected tens of thousands of users with a rogue extension that automatically generated new Wix accounts, published free websites on the platform, and disseminated links to these sites through the victims' Facebook Messenger accounts. Recipients of these messages were directed to the fraudulent Wix pages, where they were prompted to install the same malicious extension, perpetuating the infection cycle. The botnet’s primary objective appeared to be expansion, as it focused on increasing its reach rather than deploying immediate harmful payloads. Wix’s security team, led by researcher Cohen, identified the anomalous activity—specifically the mass creation of accounts and websites—and intervened to block further abuse of their infrastructure. This containment prevented the attackers from escalating their operations, such as redirecting users to more dangerous destinations. The incident highlighted the botnet’s experimental phase, with attackers testing propagation methods through compromised browser extensions.
Two months later, in June 2016, the same threat actors shifted tactics, abandoning Wix as a host and instead leveraging Google Drive to distribute malicious websites. Kaspersky Lab researchers documented this subsequent campaign, confirming the attackers’ persistence. Cohen later analyzed the broader implications of such attacks, emphasizing how rogue Chrome extensions could execute arbitrary code on any website. He noted that attackers could exploit vulnerabilities in legitimate extensions—such as cross-site scripting (XSS) flaws—rather than solely relying on uploading malicious ones to the Chrome Web Store. Examples included an XSS vulnerability in an Adobe Acrobat-related extension pushed via updates and a similar flaw in AVG Web TuneUp, an extension forcibly installed by AVG antivirus software. These weaknesses allowed attackers to hijack extensions, granting persistent control over victims’ browsers. Cohen’s research demonstrated proof-of-concept methods to weaponize benign extensions, underscoring the scalability of this attack vector. The Wix incident underscored the risks of extensible browser ecosystems being co-opted for large-scale automated attacks.