Threat analysts at McAfee found five Google Chrome extensions that steal users’ browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times.
The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor's cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops.
The four malicious extensions that McAfee researchers discovered are the following:
- Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
- Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
- Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
- AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads
It is worth noting that the above extensions still feature the promised functionality, making it more difficult for victims to notice the malicious activity. Although using them does not impact users directly, they are a severe privacy risk.
Thus, if you are using any of the listed extensions, even if you find their functionality useful, it is recommended to remove them from your browser immediately.
How the extensions work
All five extensions discovered by McAfee have a similar behavior. The web app manifest ("manifest.json" file), which dictates how the extension should behave on the system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the attackers control (“langhort[.]com”).
The data is delivered through via POST requests each time the user visits a new URL. The info reaching the fraudster includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL.
If the visited website matches any entries on a list of websites for which the extension author has an active affiliation, the server responds to B0.js with one of two possible functions.
The first one, “Result[‘c’] – passf_url “, orders the script to insert the provided URL (referral link) as an iframe on the visited website.
The second, “Result[‘e’] setCookie”, orders B0.js to modify the cookie or replace it with the provided one if the extension has been granted with the associated permissions to perform this action.
McAfee has also published a video to showcase how the URL and cookie modifications happen in real time:
To evade detection, analysis, and to confuse researchers or vigilant users, some of the extensions feature a delay of 15 days from the time of their installation before they start sending out the browser activity.
At the time of writing this, "Full Page Screenshot Capture – Screenshotting" is still available on the Chrome Web Store.
The two Netflix Party extensions have been removed from the store, but this doesn't delete them from web browsers, so users should take manual action to uninstall them.
Update 9/15/2022: This article was updated to remove an extension named Flipshope that was originally listed in McAfee's report.
McAfee says they removed the extension from the report after a new version was uploaded to the Chrome Store that had removed some potentially unwanted functionality.
However, in a statement to BleepingComputer, Flipshope says its extension never exhibited any malicious behavior.
"Flipshope, a shopping extension from India, previously included in this article doesn't agree with McAfee's allegations and explains in detail how these allegations don't stand valid for them," Flipshope shared in a statement to BleepingComputer.
Comments
fromFirefoxToVivaldi - 1 year ago
Full Page Screenshot Capture – Screenshotting has a "featured" status on the screenshot. Does Google not even check the code of extensions they feature?
hprnv - 1 year ago
But such loud words they use to describe this...
"Extensions awarded the Featured badge have been manually evaluated by “Chrome team members,” and follow Google’s “technical best practices and meet a high standard of user experience and design.”
This includes “using the latest platform APIs and respecting the privacy of end-users,” as well as “providing an enjoyable and intuitive experience.”
Nuub_NZ - 1 year ago
@fromFirefoxToVivaldi
Nope Google does not seem to have to do that. But this is happening so often that maybe they should be forced to do something.