Analysts at McAfee found five Google Chrome extensions in the Chrome Web Store that scammed user data and spoofed cookies. Specifically, the extensions tracked when users visited certain e-commerce sites and modified cookies to make it look like the user had followed a referral link.
Let me remind you that we talked about the fact that Chrome Extension Installed 200,000 Times Turned Out to Be Adware, and also that Malicious extensions for Chrome and Edge are still available for installation.The five extensions, with a total of over 1.4 million downloads, were named as follows:
- Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 installs;
- Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 installs;
- Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 installs;
- FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 installs;
- AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 installs.
It is noted that all extensions really had the declared functionality, which made it harder for victims to notice their malicious activity.
The researchers write that the use of these extensions did not directly affect users, but these products still posed a serious threat to privacy. According to analysts, all five extensions acted in the same way: the application manifest (manifest.json file), which defines the behavior of the extension in the system, loaded a rich script (B0.js), which transmitted browsing data to a domain controlled by attackers (langhort[.]com ).
The data was passed through POST requests, and this happened every time the user visited a new URL. The information the scammers ended up getting included the base64 URL itself, the user ID, the device location (country, city, zip code), and the encoded referral URL.
If the resource visited by the victim matched the entries in a special list of sites with which the authors of the malware are associated, the server responded with B0.js as follows. In the first case, the command Result[‘c’] – passf_url told the script to insert the provided URL (referral link) into the site as an iframe. In the second case, Result[‘e’] setCookie told B0.js to change the cookie or replace it with the provided one (if the extension had the rights to do so). McAfee posted a video demonstrating how these URL and cookie spoofs happened.
To avoid detection, complicate analysis, and confuse security researchers and vigilant users, some of the extensions began fraudulent activity at least 15 days after installation.
Currently, all extensions have already been removed from the Chrome Web Store, but this does not mean they are removed from users’ browsers. The victims will have to get rid of the extensions manually.