Authored by Oliver Devane and Vallabh Chole
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage
Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.
The 5 extensions are
Name
Extension ID
Users
Netflix Party
mmnbenehknklpbendgmgngeaignppnbe
800,000
Netflix Party 2
flijfnhifgdcbhglkneplegafminjnhn
300,000
FlipShope – Price Tracker Extension
adikhbfjdbjkhelbdnffogkobkekkkej
80,000
Full Page Screenshot Capture – Screenshotting
pojgkmkfincpdkdgjepkmdekcahmckjp
200,000
AutoBuy Flash Sales
gbnahglfafmhaehbdmjedfhdmimjcbed
20,000
Technical Analysis
This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.
Manifest.json
The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites.
B0.js
The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.
Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.
Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:
Variable
Description
Ref
Base64 encoded referral URL
County
The county of the device
City
The city of the device
Zip
The zip code of the device
Apisend
A random ID generated for the user.
Name
Base64 encoded URL being visited
ext_name
The name of the chrome extensions
The random ID is created by selecting 8 random characters in a character set. The code is shown below:
The country, city, and zip are gathered using ip-api.com. The code is shown below:
Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below:
The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains.
Two of the functions are detailed below:
Result[‘c’] – passf_url
If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.
Result[‘e’] setCookie
If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.
Behavioral flow
The images below show the step-by-step flow of events while navigating to the BestBuy website.
The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/
Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url()
passf_url() will perform a request against the URL
the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners
The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user
Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com
Here is a video of the events
Time delay to avoid automated analysis
We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.
Conclusion
This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.
McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.
The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.
Type
Value
Product
Detected
Chrome Extension
Netflix Party – mmnbenehknklpbendgmgngeaignppnbe
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
FlipShope – Price Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
Full Page Screenshot Capture
pojgkmkfincpdkdgjepkmdekcahmckjp
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn
Total Protection and LiveSafe
JTI/Suspect
Chrome Extension
AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed
Total Protection and LiveSafe
JTI/Suspect
URL
www.netflixparty1.com
McAfee WebAdvisor
Blocked
URL
netflixpartyplus.com
McAfee WebAdvisor
Blocked
URL
flipshope.com
McAfee WebAdvisor
Blocked
URL
goscreenshotting.com
McAfee WebAdvisor
Blocked
URL
langhort.com
McAfee WebAdvisor
Blocked
URL
Unscart.in
McAfee WebAdvisor
Blocked
URL
autobuyapp.com
McAfee WebAdvisor
Blocked
The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.
More Stories
Friday Squid Blogging: Squid Sticker
A sticker for your water bottle. Blog moderation policy. Read More
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
OpenAI must also initiate a six-month public awareness campaign across Italian media, explaining how it processes personal data for AI...
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
The Security Service of Ukraine has accused Russian-linked actors of perpetrating a cyber-attack against the state registers of Ukraine Read...
LockBit Admins Tease a New Ransomware Version
The LockBitSupp persona said LockBit 4.0 will be launched in February 2025 Read More
Webcams and DVRs Vulnerable to HiatusRAT, FBI Warns
The FBI has issued a warning about the Hiatus RAT malware targeting Xiongmai and Hikvision web cameras and DVRs, urging...
CISA Urges Encrypted Messaging After Salt Typhoon Hack
The US Cybersecurity and Infrastructure Security Agency recommended users turn on phishing-resistant MFA and switch to Signal-like apps for messaging...