Dangerous Google Extensions; Hackers Earn Millions

Chrome Stealthily Enriching Criminal Hackers

Google Chrome extensions are quite essential, especially to access some online programs. But when those vital extensions become a lucrative money generating instrument for hackers; a humongous cyber threat sits on the horizon, waiting to explode. Recently five Chrome extensions were identified as stealth trackers that monitor and save the browsing history of individuals that utilize them.

McAfee’s threat analysts team discovered that, so far, more than 1.4 million individuals downloaded the five threatening extensions.

With their questionable overall malicious tracking activities, it shows that users utilizing e-commerce websites are the likely victims to have their browsing preferences stealthily tracked. Another harmful issue is those tracking cookies associated with the harmful Chrome browser extensions are said to alter visitors’ cookies while redirecting them to other websites. The scam is set up to look like the visitors clicked on referral links to arrive at the unintended websites.

Affiliate Generating Links

Through hidden referral links, transactions made by shoppers at targeted online stores secretly generate affiliate income for the creator of the maliciously coded Chrome extensions. Below are some of the links that threat actors are using to effortlessly earn millions of dollars in revenue from unsuspecting victims.

800,000 downloads of Netflix Party (mmnbenehknklpbendgmgngeaignppnbe).

300,000 downloads of Netflix Party 2 (flijfnhifgdcbhglkneplegafminjnhn).

Screenshotting (pojgkmkfincpdkdgjepkmdekcahmckjp) – Full Page Screenshot Capture – 200,000 downloads

80,000 downloads for the FlipShope – Price Tracker Extension (adikhbfjdbjkhelbdnffogkobkekkkej).

20,000 downloads of AutoBuy Flash Sales (gbnahglfafmhaehbdmjedfhdmimjcbed).

The McAfee cyber analytical team has warned that the discovered links posed a humongous threat to Internet shoppers. They have warned that even though individuals might have found the links above functionality useful; it is a good idea to delete them immediately, since the danger they posed far outweighs their limited benefits.

Additionally, the research team advised the immediate and complete removal from users’ browsers, as the five Chrome extensions have lost their functionality and no longer support any viable browser activities.

Deceitful Extensions Function

The similarity associated with the five extensions was that they all behave in likewise manners. And McAfee threat analysts found similar behavior with the multipurpose script (B0.js) of all the analyzed Chrome extensions. Additionally. questionable loads of the web app manifest (“manifest.json”) file.

Also, the team’s research specifically outlined how each extension operates when visitors utilized them. It shows that the maliciously coded links relay valuable surfing information to the criminal hackers’ domain (“langhort[.]com”).

The stolen information was gathered each time a visitor accessed a new URL via the harmful browser extensions. So far, it shows that the private data transmitted via POST requests include users’ IDs, and device location such as country, city, and zip code of mostly USA online users. In addition, with the base64-encoded referral URL; it also harvests user ID, and device location, which is immediately transmitted to the criminal hackers’ secretive data collection portals.