McAfee threat analysts discovered five Google Chrome extensions that track user’s browsing activities. The extensions have been downloaded over 1.4 million times.
Malicious extensions are used to track users’ visits to e-commerce websites and modify their cookie to make it appear that they have come through a referrer. The extensions’ authors receive an affiliate fee for all purchases made at electronic shops.
Noting that these extensions still have the promised functionality makes it harder for victims to spot the malicious activity, is important. They are not intended to be used by users, but they pose a serious privacy risk.
It is recommended that you immediately remove any of the above-mentioned extensions from your browser, even if they are useful.
How extensions work
McAfee discovered that all five extensions have the same behavior. McAfee’s web app manifest (manifest.json) file, which specifies how extensions should behave on the system and loads a multifunctional script (“B0.js”) that sends browsing data to a domain controlled by the attackers (“langhort[. ]com”).
Each time a user visits a new URL, the data is sent via POST requests. The URL in base64 form, user ID, device location (country and city), and encoded referral URL are some of the information that reach the fraudster.
If the URL of the visited website matches an entry on the list of websites to which the extension author is actively affiliated, B0.js will be sent and the server will respond with one of the two possible functions.
The first, “Result[’c’] – passf_url”, instructs the script to insert the URL provided (referral link), as an iframe on your visited website.
The second, “Result[e] setCookie”, instructs B0.js that it modify the cookie or replace the one provided if the extension is granted with the appropriate permissions.
Some extensions have a delay of 15 calendar days after installation to send out browser activity. This is done in order to evade detection and analysis.
The Chrome Web Store still has “Full Pagescreenshot Capture – Screenshotting” as well as “FlipShope Price Tracker Extension” available at the time of this writing.
Netflix Party Extensions have been removed from the website. However, this does not delete them from your web browsers. Users should still take manual action to remove them.
