The Chrome extensions can change cookies on eCommerce websites so that their author obtains affiliate income for the purchased items, without the victim’s awareness, and they have a total install base of over 1.4 million.
The five malicious add-ons allow users to track online prices and coupons, watch Netflix shows with friends (Netflix Party and Netflix Party 2, with a combined install base of 1.1 million), take screenshots, and watch Netflix together (Full Page Screenshot Capture – Screenshotting, with 200,000 installs).
When a user views a new URL in a tab, the extensions subscribe to events that are triggered so they can send tracking information to the creator’s server, which determines whether the user has visited a website for which an affiliate ID is present.
Based on the server’s answer, the extension can inject an iframe URL and a cookie with the extension developer’s affiliate ID into the target website. The extension developer will then receive a commission for any purchases that users make on the target website.
