McAfee researchers discovered five malicious Google Chrome extensions with a total install base of over 1,400,000. The malicious Google Chrome extensions were masquerading as Netflix viewers, website coupons, and apps for taking screenshots of a website.
|Netflix Party 2||flijfnhifgdcbhglkneplegafminjnhn||300,000|
|FlipShope – Price Tracker Extension||adikhbfjdbjkhelbdnffogkobkekkkej||80,000|
|Full Page Screenshot Capture – Screenshotting||pojgkmkfincpdkdgjepkmdekcahmckjp||200,000|
|AutoBuy Flash Sales||gbnahglfafmhaehbdmjedfhdmimjcbed||20,000|
The extensions a designed to track the user’s browsing activity, they are also able can insert code into eCommerce websites being visited. Basically, the extension modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
“Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.” reads the analysis published by the experts. “The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.”
Below is a step-by-step flow of events while the users navigate to the BestBuy website.
Some of the extensions implement a time check before they would perform any malicious activity to avoid detection. The researchers noticed that the malicious extensions start operating after 15 days from their installation.
“McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting. ” concludes the report. “The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog .”
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Google Chrome extensions)