Malicious Google Chrome extensions sends users browsing activity to threat actors; identified by McAfee
Recently, McAfee’s threat analysts discovered five Google Chrome extensions, which steals users’ browsing activity. The extensions have been downloaded about 1.4 million times so far.
The malicious extensions monitor when users do a visit to an e-commerce website. Accordingly, it modifies the visitor’s cookie to appear in a way that indicates they came through a referrer link. As a result, the authors of the extensions receive an affiliate fee for any purchases at electronic shops.
McAfee discovered the following five extensions:
- Netflix Party
- Netflix Party 2
- Full Page Screenshot Capture – Screenshotting
- FlipShope – Price Track Extension
- AutoBuy Flash Sales
The victims never notice the malicious intentions as the extensions carries on their mentioned functionality. The use of these extensions does not affect the user directly, however it possess risk to privacy.
Experts recommend users to stop using the extensions even if they find the functionality useful.
McAfee has released a video that displays how the URL and cookie modifications happen in real time.
The extensions have their own way of evading extension and analysis. They confuse researchers and vigilant users by executing a delay of 15 days from the time of the installation of the extensions. After this period the extensions starts sending the browsing activity.
According to latest reports, authorities have removed the two Netflix extensions. However, “Full Page Screenshot Capture – Screenshotting” and “FlipShope – Price Tracker Extension” are still available on the Chrome Web Store. It is also to be noted that even when the extensions are removed; it still stays in the users’ web browser unless they manually remove it.
Update 23/09/2022
According to a recent update shared by Fileshope a browser extension now their extension doesn’t exhibit any malicious behavior and the same has been updated by McAfee in their new report.
Fileshope also shared a statement with us in regard to this matter.
Flipshope, a shopping extension from India, previously included in this article doesn’t agree with McAfee’s allegations and explains in detail how these allegations don’t stand valid for them,”