Experts spotted five malicious Google Chrome extensions used by 1.4M users

Experts spotted five malicious Google Chrome extensions used by 1.4M users

Researchers spotted 5 malicious Google Chrome extensions used to track users’ browsing activity and profit of retail affiliate programs.

McAfee researchers discovered five malicious Google Chrome extensions with a total install base of over 1,400,000. The malicious Google Chrome extensions were masquerading as Netflix viewers, website coupons, and apps for taking screenshots of a website.

Name  Extension ID  Users 
Netflix Party  mmnbenehknklpbendgmgngeaignppnbe  800,000 
Netflix Party 2  flijfnhifgdcbhglkneplegafminjnhn  300,000 
FlipShope – Price Tracker Extension   adikhbfjdbjkhelbdnffogkobkekkkej  80,000 
Full Page Screenshot Capture – Screenshotting   pojgkmkfincpdkdgjepkmdekcahmckjp  200,000 
AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed  20,000 

The extensions a designed to track the user’s browsing activity, they are also able can insert code into eCommerce websites being visited. Basically, the extension modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

“Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.” reads the analysis published by the experts. “The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.”

malicious Google Chrome extensions

The manifest.json sets an HTML background page, which loads the javascript b0.js that sends every URL visited by the victims to the C2 and injects code into the eCommerce sites.

Below is a step-by-step flow of events while the users navigate to the BestBuy website.  

  1. The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 
  2. Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 
  3. passf_url() will perform a request against the URL 
  4. the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 
  5. The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 
  6. Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com  

Some of the extensions implement a time check before they would perform any malicious activity to avoid detection. The researchers noticed that the malicious extensions start operating after 15 days from their installation.  

“McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting. ” concludes the report. “The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog .”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Google Chrome extensions)




Leave a Reply

Your email address will not be published.