- McAfee researchers announced that they had discovered 5 popular Chrome extensions with a total install base of over 1,400,000.
- The extensions contained a time check before they would perform any malicious activity, to avoid detection in automated analysis environments.
- Even though some of these extensions are removed from the web store, users should also manually uninstall them from their web browsers.
McAfee once again pinpoints malicious Chrome extensions that are redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Researchers investigated several extensions and found 5 Chrome extensions with a total download of over 1.4 million. These imposter extensions are mimicking legitimate extensions and modify the cookies to make them look like they are coming from a referrer link when they visit an e-commerce website.
Tracks users’ browsing activities
Extensions mimic various legitimate ones, such as an extension for watching Netflix together, website coupons, or taking screenshots. However, besides their intended functionalities, they also track the users’ browsing activities. It allows extensions to send visited websites to malicious actors’ servers and they insert codes into eCommerce websites that are being visited. The referrer link enables threat actors to receive an affiliate payment for items being purchased by the users. These 5 extensions, extension IDs, and the number of users are:
- Netflix Party (mmnbenehknklpbendgmgngeaignppnbe): 800,000
- Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn): 300,000
- FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej): 80,000
- Full Page Screenshot Capture – Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp): 200,000
- AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed): 20,000
The report also shows that some extensions are waiting for 15 days before they start sending the browser activity to prevent detection and confuse users or researchers. Some of those extensions are still available on the web store, thus experts are urging users to remove the extension manually from Chrome. Researchers of McAfee said,
« McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit. »