Vulnerabilities/Malwares

Experts Discover Malicious Cookie Stuffing Chrome Extensions Used By 1.4 Million Users

Published

on

Five fake extensions for Google Chrome have been discovered to track browsing habits and make a profit from affiliate programs.

“The extensions offer a variety of functions such as enabling users watch Netflix shows together and website coupons, and taking screenshots from a website,” McAfee researchers Oliver Devane stated. “The latter borrows many phrases from GoFullPage, a popular extension.

These browser add-ons – which are available through the Chrome Web Store and have been downloaded 1.4 Million times – can be found here –

  • Netflix Party (mmnbenehknklpbendgmgngeaignppnbe) – 800,000 downloads
  • Netflix Party (flijfnhifgdcbhglkneplegafminjnhn) – 300,000 downloads
  • FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej) – 80,000 downloads
  • Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – 200,000 downloads
  • AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed) – 20,000 downloads.

These extensions load JavaScript to inject malicious code into ecommerce portals. This allows attackers to make money from affiliate programs that allow victims to purchase products.

Researchers noted that every website visited is sent to extensions creator servers. They do this to insert code on eCommerce websites they visit. This modifies cookies on the site to allow extension authors to receive affiliate payments for items purchased.

A technique is also included in the malware that delays malicious activity for 15 days after installation of the extension. This helps to keep it concerted and prevents red flags.

These findings are the result of the March 2022 discovery of 13 Chrome extension that were redirected users to phishing websites and exfiltrating sensitive information.

All five add-ons were removed from the Chrome Web Shop on Wednesday. To reduce further risk, Chrome users who have installed the extensions should manually delete them.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version