Google experts have excluded two dangerous ad blockers from the Chrome Web Store – AdBlock (about 800,000 users) and uBlock (850,000 users). These blockers tricked users with cookie stuffing.
Both extensions were fully functional, but they obviously disguised themselves as other popular blockers and engaged in fraud.Google experts removed the problematic extensions after AdGuard experts discovered the fraudulent behavior of blockers.
Researchers noticed that approximately 55 hours after installing these extensions, they begin to exchange suspicious requests with their servers. Therefore, in response to expansion requests, the server sends a list of commands, after which the behavior of the “blocker” changes: in addition to blocking ads, it starts to do something else.
“It’s about cookie stuffing, a popular scam technique that is often used in affiliate marketing to capture traffic from legitimate sources,” – write AdGuard experts.
Researchers explain that when entering every new domain, a request is sent to urldata.net. For example, after visiting teamviewer.com, the sent request will look like this:
http://urldata[.]net/api?key=4e4a7faf91b2bcda88a60e269e4d6208bfe8d3d6&out=https%3A%2F%2Fteamviewer.com&format=txt
Response on such request will contain the following URL:
http://urldata[.]net/newapi/click/PvdHh16uGq6mLqmbUoT3AaUImj7ynsh0cVlCywkljEF19oBV0JH4jNYpn--xwIyEV36OMPPH1IrESEyclc7yxEbB3mYrfPMxnGqoV4SOmQ4MI9NYNHAQrPHwvJNE0W488ESUN1y7ONahVxwBZKnr4PZlZKI5gNi65DoIfYNwXAPoyFwh8Mgz1bX63V4PnjspvZa-DqjF5GTNxoIJqpHLC1_SwlFRYeoIvVGutkgfCSI4hMHa3z52VbL7VxbaQAhhqLC-uJUJO_s234VL3JDM01O-JE9PS6fXOH6z5XUojvotSQ5mZe7NFEsuMaeSK9rasy8MvaICWZpGDmgxIodzvMpJUv41ppkuqMBDDYpHptCEBb4Za_HffgaiKn-aY_COfan5P650B6ZTQsVqNKidMRRaHY4FxvM7VA79vX5_Oe0J0c9Wczw8VM9GrvzlGLdt4TjyBcF2JEtpcayh99JdL1wxrL_EoEHMml4LDy1JwT8LPxPG2vrlK5QSuoGrx-7tJLHD6Gq3SUeQj1XXEcENy77hkzU79TO9_hEs29Kq6ASdk6NKIZT8gOuJsNOAkU4i0Y9JvmEpdENyBL2ugmFNyitW2CfGzHrLsNex
The extension will immediately open this link in the background. This request will be followed by a chain of redirects and the last request in the chain will be this one:
https://www.teamviewer[.]com/en/content/2019-cj-emea/?coupon=aff-19-en-10-1&utm_source=affiliate&utm_medium=cj&utm_campaign=dedc1dc5d58611e982c203670a180513&utm_content=11&8585&affm_contj=293&utm_content=293&utm_content=2933&utm_content=2933&utm_content=293&utm_content=293&utm_content=293&utm_content=33=dedc1dc5d58611e982c203670a180513
Apparently, the address belongs to someone’s affiliate program with Teamviewer. In response, the browser will receive an “affiliate” cookie. As a result, if the user makes a purchase on teamviewer.com, the extension developer will receive a commission from Teamviewer.
For this scheme, a lot of affiliate links are used, here are some victims of a fraud, whose names are well known: microsoft.com, linkedin.com, aliexpress.com, booking.com. Experts note that this is far from all, and the full list is much longer.
Read also: Thousands of Google Calendars Disclose Confidential Information
Researchers write that the scale of this fraudulent campaign is amazing. In total, the extensions had more than 1.6 million active users, with at least 300 replaced cookies from the list of Top 10000 sites according to Alexa. The exact damage from this campaign is difficult to assess, but AdGuard is confident that it is a few million US dollars per month.
How can you protect yourself?
- If you’re going to install a browser extension, think again. Maybe you don’t really need it?
- Don’t believe what you read in the extension’s description. Be aware that there’s almost no review process, and this can easily be a fake.
- Reading the users’ reviews won’t help as well. These two extensions had excellent reviews and yet they were malicious.
- Don’t use the WebStore internal search, install extensions from the trusted developers’ websites directly.
