News Security

Chrome has blocked the AdBlock and uBlock extensions due to data manipulation using cookie stuffing

AdBlock and uBlock cookie stuffing
Written by Brendan Smith

Google experts have excluded two dangerous ad blockers from the Chrome Web Store – AdBlock (about 800,000 users) and uBlock (850,000 users). These blockers tricked users with cookie stuffing.

Both extensions were fully functional, but they obviously disguised themselves as other popular blockers and engaged in fraud.

Google experts removed the problematic extensions after AdGuard experts discovered the fraudulent behavior of blockers.

Researchers noticed that approximately 55 hours after installing these extensions, they begin to exchange suspicious requests with their servers. Therefore, in response to expansion requests, the server sends a list of commands, after which the behavior of the “blocker” changes: in addition to blocking ads, it starts to do something else.

“It’s about cookie stuffing, a popular scam technique that is often used in affiliate marketing to capture traffic from legitimate sources,” – write AdGuard experts.

Researchers explain that when entering every new domain, a request is sent to urldata.net. For example, after visiting teamviewer.com, the sent request will look like this:

http://urldata[.]net/api?key=4e4a7faf91b2bcda88a60e269e4d6208bfe8d3d6&out=https%3A%2F%2Fteamviewer.com&format=txt

Response on such request will contain the following URL:

http://urldata[.]net/newapi/click/PvdHh16uGq6mLqmbUoT3AaUImj7ynsh0cVlCywkljEF19oBV0JH4jNYpn--xwIyEV36OMPPH1IrESEyclc7yxEbB3mYrfPMxnGqoV4SOmQ4MI9NYNHAQrPHwvJNE0W488ESUN1y7ONahVxwBZKnr4PZlZKI5gNi65DoIfYNwXAPoyFwh8Mgz1bX63V4PnjspvZa-DqjF5GTNxoIJqpHLC1_SwlFRYeoIvVGutkgfCSI4hMHa3z52VbL7VxbaQAhhqLC-uJUJO_s234VL3JDM01O-JE9PS6fXOH6z5XUojvotSQ5mZe7NFEsuMaeSK9rasy8MvaICWZpGDmgxIodzvMpJUv41ppkuqMBDDYpHptCEBb4Za_HffgaiKn-aY_COfan5P650B6ZTQsVqNKidMRRaHY4FxvM7VA79vX5_Oe0J0c9Wczw8VM9GrvzlGLdt4TjyBcF2JEtpcayh99JdL1wxrL_EoEHMml4LDy1JwT8LPxPG2vrlK5QSuoGrx-7tJLHD6Gq3SUeQj1XXEcENy77hkzU79TO9_hEs29Kq6ASdk6NKIZT8gOuJsNOAkU4i0Y9JvmEpdENyBL2ugmFNyitW2CfGzHrLsNex

The extension will immediately open this link in the background. This request will be followed by a chain of redirects and the last request in the chain will be this one:

https://www.teamviewer[.]com/en/content/2019-cj-emea/?coupon=aff-19-en-10-1&utm_source=affiliate&utm_medium=cj&utm_campaign=dedc1dc5d58611e982c203670a180513&utm_content=11&8585&affm_contj=293&utm_content=293&utm_content=2933&utm_content=2933&utm_content=293&utm_content=293&utm_content=293&utm_content=33=dedc1dc5d58611e982c203670a180513

Apparently, the address belongs to someone’s affiliate program with Teamviewer. In response, the browser will receive an “affiliate” cookie. As a result, if the user makes a purchase on teamviewer.com, the extension developer will receive a commission from Teamviewer.

For this scheme, a lot of affiliate links are used, here are some victims of a fraud, whose names are well known: microsoft.com, linkedin.com, aliexpress.com, booking.com. Experts note that this is far from all, and the full list is much longer.

Read also: Thousands of Google Calendars Disclose Confidential Information

Researchers write that the scale of this fraudulent campaign is amazing. In total, the extensions had more than 1.6 million active users, with at least 300 replaced cookies from the list of Top 10000 sites according to Alexa. The exact damage from this campaign is difficult to assess, but AdGuard is confident that it is a few million US dollars per month.

How can you protect yourself?

  • If you’re going to install a browser extension, think again. Maybe you don’t really need it?
  • Don’t believe what you read in the extension’s description. Be aware that there’s almost no review process, and this can easily be a fake.
  • Reading the users’ reviews won’t help as well. These two extensions had excellent reviews and yet they were malicious.
  • Don’t use the WebStore internal search, install extensions from the trusted developers’ websites directly.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.