chris
Top Contributor
Just came across an example of a new extension being used for malicious purposes, definitely makes things harder to pick:
http://labs.sucuri.net/?note=2017-04-03
The third-party scripts load from what looks like a CloudFlare CDN. And if you open the cloudflare[.]solutions site, you’ll see it says "This Server is part of Cloudflare Distribution Network." However, WHOIS says that the domain had been registered just on February 11, 2017 to a Russian company, (removed) and is now hosted in Ukraine on a server with IP (removed).
http://labs.sucuri.net/?note=2017-04-03