Posted on August 31, 2022 at 3:01 PM
Security researchers at McAfee have discovered five Google Chrome extensions that track users’ browsing history and activities. According to the report, the extensions have been collectively downloaded over 1.4 million times.
The malicious extensions are used to monitor when users visit eCommerce websites. It is also used to update the visitor’s cookie and make it look like they are from a referrer link. As a result, the operators of the five extensions receive affiliate fees for any purchases made at electronic shops.
The five malicious extensions discovered include AutoBuy Flash Sales (20,000 downloads), FlipShope Price Tracker Extension (80,000 downloads), Full Page Screenshot Capture (200,000 downloads), Netflix Party 2 (300,000 downloads), and Netflix Party, with over 800,000 downloads.
The Extensions Disguise As Genuine Products
Like several other malicious extensions, these disguise themselves as offering genuine services. They still feature the promised functionality to the users, making it difficult to detect them as malicious. While singing them may not have a direct impact on users, they pose serious privacy risks to those that download them. Once they are given access to the user’s system, they continue to perform their function but other serious data may be used by other malicious software in the future.
Those using the listed extensions may not find them harmful because of the functionality they provide But it is recommended that they are removed from their browser because there may be an ulterior motive behind their functions.
The Extensions Operate Similarly
McAfee researchers noted that all five extensions they discovered have similar features and behaviors. This shows that they could be operated by a single entity or group. The web app manifest that controls how extensions should behave on the system, loads a multifunctional script. This delivers the browsing data to a domain controlled by the threat actors.
The operators deliver the data through POST requests whenever the user visits a new URL. From there, the information is delivered to the threat actor, including the device location, the user ID, the URL in base64 form, and the encoded referral URL.
Once the visited site corresponds to any entry on a list of sites with which the author is affiliated, the server reacts to B0.js with some functions.
In the first instance, the script is ordered to plant the available URL as an iframe on the visited site. Secondly, the “Result[‘e’] setCookie” directs B0.js to change the cookie with the one provided. This becomes possible only if the extension has been granted with the required permissions to carry out the functions.
To clarify things further, McAfree has also made a video available to show how the cookie and URL modifications occur in real-time.
The Operators Designed The Extensions To Evade Detection
The researchers have also explained how the threat actors position the malicious extensions to evade detention. They noted that some of the extensions delay for about 15 days from the time they were installed. During this period, they perform only the functions they are advertised to perform. After 15 days, they start sending out the browser activities to the control server.
As of press time, Price Tracker Extension and Full Page Screenshot Capture are still available on the Chrome Web Store.
However, the Netflix Party extensions are no longer available on the store, although it doesn’t mean that they have been deleted from the web browsers. This means that users are required to uninstall them from their browsers manually.
While the extensions are carrying out their functions as the user wanted, they are also injecting unwanted code into the user’s browser. The extension first finds out whether it can plant an affiliate revenue code whenever the user moves to a new web page. This allows the operators of the extension to get a profit as an affiliate whenever the user buys things online.
Earlier this month, cybersecurity researchers at Kaspersky estimated that over 1.3 million users have been affected by malicious browser extensions in H1 2022. On a much longer scale, there have been an estimated 4.3 million users who have been affected by malicious extensions between January 2020 and June 2022. Most of these users installed the extensions thinking they were genuine.
Google has always taken a serious stance against these malicious extensions. But as the tech giant continues to remove the offending extensions, more keep popping up at an alarming rate.