Threat analysts at McAfee unearthed five malicious Chrome extensions manufactured to track user's browsing activity and deploy code into e-commerce websites.
With over 1.4 million installs, the malicious extensions can alter cookies on e-commerce platforms without the victim’s knowledge so that scammers can receive affiliate payments for the purchased products.
The five malicious extensions that exploit affiliate marketing are as follows:
• Netflix Party (800,000 downloads),
• Netflix Party 2 (300,000),
• Full Page Screenshot Capture (200,000),
• FlipShope Price Tracker Extension (80,000),
• AutoBuy Flash Sales (20,000).
"The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website," McAfee researchers Oliver Devane and Vallabh Chole explained. "The latter borrows several phrases from another popular extension called GoFullPage."
All five extensions employ an identical methodology to target users. The web app manifest ("manifest.json" file), responsible for managing the extension behavior on the victim’s system, loads a multifunctional script (B0.js) that sends the browsing data to a domain the hackers' control (“langhort[.]com”).
The data is deployed via POST requests each time the victim visits a new URL. The stolen data includes the URL in base64 form, the user ID, device location (country, city, zip code), and an encoded referral URL. The researchers also disclosed that the user tracking and code injection behavior resides in a script named ‘b0.js’, which contains many other functions as well.
Additionally, the security firm identified the evasive mechanism that delays the malicious activity by 15 days from the time of installation of the extension to help keep its activity concerted and avoid raising red flags.
McAfee recommends users extensively check extensions before installing them, even if they already have a large install base, and to pay close attention to the permissions the extensions ask for, such as the permission to run on any website the user visits.
Last month, security researchers at Kaspersky estimated that more than 1.3 million users have been impacted by malicious browser extensions in just the first six months of this year alone. In fact, from January 2020 to June 2022, researchers unearthed that more than 4.3 million users had adware concealed in their browser extensions. Although Google is working rigorously to eliminate malicious extensions, new ones continue to pop up at a rapid pace.
