Blog

Hackers Exploit Cookie-Stuffing Chrome Extensions to Spy on Users

The Chrome Web Store is a treasure trove of browser extensions and utilities for Google Chrome users. However, wherever digital footfalls increase, attackers follow. Hackers are increasingly targeting chrome extensions to commit affiliate fraud or steal sensitive credentials from browsers. Researchers found five cookie-stuffing chrome extensions in the Chrome Web Store.

Browser extensions offer miscellaneous utilities, such as allowing users to take screenshots of the entire website in one go, generate website coupons, watch Netflix shows together, etc. Browser extensions can also track users' browsing activities and personal preferences on the web. Cookie-stuffing chrome extensions are Google Chrome extensions that can modify the cookies on the site so that the extension creators receive affiliate payment for various items purchased.

How are attackers leveraging imposter chrome extensions?

A few months ago, McAfee Labs discovered malicious extensions that can redirect users to phishing sites. The team further focused their research on several other chrome extensions. They found five imposter cookie-stuffing chrome extensions that tracked the victim's browsing activities to exploit retail affiliate programs. These malicious chrome extensions are:

  • Netflix Party:800,000+ downloads

  • Full Page Screenshot Capture: Screenshotting: 200,000+ downloads

  • FlipShope: Price Tracker Extension: 80,000+ downloads

  • Netflix Party: 300,000+ downloads (different from the first)

  • AutoBuy Flash Sales: 20,000+ downloads

Together, these browser extensions recorded 1.4 million downloads. McAfee researchers Oliver Devane and Vallabh Chole mentioned, "The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage." Currently, the "Full Page Screenshot" and "FlipShope" extensions are available for installation and can pose threats to the users. Google has removed Netflix Party and other extensions from the Web Store.

How do these imposter chrome extension works?

According to McAfee Labs' researchers, all the imposter extensions behave similarly. These extensions load a piece of JavaScript responsible for managing the browser's tabs on the websites. The malicious JavaScript code also injects illicit codes as a part of cookie stuffing within the e-commerce portals. This malicious injection helps attackers make money through affiliate programs. 

Whenever a victim purchases anything from the targeted e-commerce sites, the extension authors get a percentage of the profit for that purchase. Researchers identified that the extensions have a manifest.json that sets the background page as bg.html. It loads a b0.js file that is accountable for transmitting the URL being visited and injecting malicious code into any e-commerce site. Researchers also noted that the code creates random IDs by selecting 8-arbitrary characters from a character set. 

McAfee researchers added, "Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into e-commerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased." Apart from all these functionalities, these cookie-stuffing chrome extensions also have a mechanism that delays the malicious practice/motive by 15 days from the day of installation to help evade red flags.

How to protect your system from imposter extensions

Here are a few things you can do before installing an extension.

  • Do thorough research: Before using any extension, security professionals and experts recommend thorough research to check whether the extension can pose threats.

  • Use extensions only if required: Use browser extensions only if it is essential. There are lots of unexplored extensions that can steal sensitive credentials or secretly monitor your browsing behaviour.

  • Keep yourself up to date: Stay updated with the latest research/news reports, and make a checklist of all the blacklisted extensions available in the store.

  • Disable JavaScript: We can disable JavaScript from running automatically within the browser. It will prevent various extensions from executing unnecessary JavaScript code.

  • Seek guidance: Do not install any extension from third-party or torrent websites. Seek expert guidance from Packetlabs to build defensive mechanisms.

Browser extensions enhance the experience but are full of pitfalls. Cookie-stuffing chrome extensions help affiliates earn money but are also prone to misuse by hackers. Cybercriminals can create multiple imposter extensions and can dupe even the most cautious users. Security experts recommend thorough research, using extensions only if required, disabling JavaScript and seeking expert guidance to stay protected from such malicious practices.

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104