Home » Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

0 comment

Authored by Oliver Devane and Vallabh Chole 

A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000

The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage 

Apart from offering the intended functionality, the extensions also track the user’s browsing activity.  Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.  

The 5 extensions are  

Name 

Extension ID 

Users 

Netflix Party 

mmnbenehknklpbendgmgngeaignppnbe 

800,000 

Netflix Party 2 

flijfnhifgdcbhglkneplegafminjnhn 

300,000 

FlipShope – Price Tracker Extension 

 

adikhbfjdbjkhelbdnffogkobkekkkej 

80,000 

Full Page Screenshot Capture – Screenshotting 

 

pojgkmkfincpdkdgjepkmdekcahmckjp 

200,000 

AutoBuy Flash Sales 

gbnahglfafmhaehbdmjedfhdmimjcbed 

20,000 

 
Technical Analysis 

This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.   
Manifest.json 

 

The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. 
B0.js 

The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.  

Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.

Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:

Variable 

Description 

Ref 

Base64 encoded referral URL 

County 

The county of the device 

City 

The city of the device 

Zip 

The zip code of the device 

Apisend 

A random ID generated for the user. 

Name 

Base64 encoded URL being visited 

ext_name 

The name of the chrome extensions 

 

The random ID is created by selecting 8 random characters in a character set. The code is shown below: 

The country, city, and zip are gathered using ip-api.com. The code is shown below: 

Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below: 

The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains. 

Two of the functions are detailed below: 

Result[‘c’] – passf_url 

If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.  

Result[‘e’] setCookie 

If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.  

Behavioral flow 

The images below show the step-by-step flow of events while navigating to the BestBuy website.  

The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 

Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 

passf_url() will perform a request against the URL 

the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 

The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 

Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com  

Here is a video of the events 

Time delay to avoid automated analysis 

We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.  

Conclusion  

This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.  

McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.   

The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog  

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.   

The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.  

Type 

Value 

Product 

Detected 

Chrome Extension 

Netflix Party – mmnbenehknklpbendgmgngeaignppnbe 

Total Protection and LiveSafe 

JTI/Suspect 

Chrome Extension 

FlipShope – Price Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej 

Total Protection and LiveSafe 

JTI/Suspect 

Chrome Extension 

Full Page Screenshot Capture 

pojgkmkfincpdkdgjepkmdekcahmckjp 

Total Protection and LiveSafe 

JTI/Suspect 

Chrome Extension 

Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn 

Total Protection and LiveSafe 

JTI/Suspect 

Chrome Extension 

AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed 

Total Protection and LiveSafe 

JTI/Suspect 

URL 

www.netflixparty1.com 

McAfee WebAdvisor 

Blocked 

URL 

netflixpartyplus.com 

McAfee WebAdvisor 

Blocked 

URL 

flipshope.com 

McAfee WebAdvisor 

Blocked 

URL 

goscreenshotting.com 

McAfee WebAdvisor 

Blocked 

URL 

langhort.com 

McAfee WebAdvisor 

Blocked 

URL 

Unscart.in 

McAfee WebAdvisor 

Blocked 

URL 

autobuyapp.com 

McAfee WebAdvisor 

Blocked 

The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.

Source: Read More

You may also like

Leave a Comment

CyberNonStop

Cybernonstop is created to bring news and knowledge through articles to visitors.

Do not forget to subscribe.

Laest News

@2021 – All Right Reserved. Designed and Developed by PenciDesign