Authored by Oliver Devane and Vallabh Chole
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage
Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.
The 5 extensions are
Name
Extension ID
Users
Netflix Party
mmnbenehknklpbendgmgngeaignppnbe
800,000
Netflix Party 2
flijfnhifgdcbhglkneplegafminjnhn
300,000
FlipShope – Price Tracker Extension
adikhbfjdbjkhelbdnffogkobkekkkej
80,000
Full Page Screenshot Capture – Screenshotting
pojgkmkfincpdkdgjepkmdekcahmckjp
200,000
AutoBuy Flash Sales
gbnahglfafmhaehbdmjedfhdmimjcbed
20,000
Technical Analysis
This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.
Manifest.json
The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eC ..
Support the originator by clicking the read the rest link below.