# Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users **[mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuffing-chrome-extensions-with-1-4-million-users)** August 29, 2022 [McAfee Labs](https://www.mcafee.com/blogs/author/mcafee-labs/) Aug 29, 2022 7 MIN READ Authored by Oliver Devane and Vallabh Chole [A few months ago, we blogged about malicious extensions redirecting users to phishing sites](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/) and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000 ----- The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the ----- cookies on the site so that the extension authors receive affiliate payment for any items purchased. The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors. The 5 extensions are Name Extension ID Users Netflix Party mmnbenehknklpbendgmgngeaignppnbe 800,000 Netflix Party 2 flijfnhifgdcbhglkneplegafminjnhn 300,000 FlipShope – Price Tracker Extension Full Page Screenshot Capture – Screenshotting adikhbfjdbjkhelbdnffogkobkekkkej 80,000 pojgkmkfincpdkdgjepkmdekcahmckjp 200,000 AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed 20,000 ## Technical Analysis This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior. ## Manifest.json ----- The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. ## B0.js The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response. Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab. ----- Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format: **Variable** **Description** Ref Base64 encoded referral URL County The county of the device City The city of the device Zip The zip code of the device Apisend A random ID generated for the user. Name Base64 encoded URL being visited ext_name The name of the chrome extensions The random ID is created by selecting 8 random characters in a character set. The code is shown below: ----- The country, city, and zip are gathered using ip-api.com. The code is shown below: Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below: The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains. ----- Two of the functions are detailed below: ## Result[‘c’] – passf_url If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited. ## Result[‘e’] setCookie If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions. ----- ## Behavioral flow The images below show the step-by-step flow of events while navigating to the BestBuy website. ----- 1. The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 2. Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 3. passf_url() will perform a request against the URL 4. the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 5. The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 6. Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com Here is a video of the events ----- Watch Video At: https://youtu.be/-N7MW8tJBvQ ## Time delay to avoid automated analysis We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation. ----- ## Conclusion This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code. McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting. ----- The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below. The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product. Type Value Product Detected ----- Chrome Extension Chrome Extension Chrome Extension Chrome Extension Chrome Extension Netflix Party – mmnbenehknklpbendgmgngeaignppnbe FlipShope – Price Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej Full Page Screenshot Capture pojgkmkfincpdkdgjepkmdekcahmckjp Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed Total Protection and LiveSafe Total Protection and LiveSafe Total Protection and LiveSafe Total Protection and LiveSafe Total Protection and LiveSafe JTI/Suspect JTI/Suspect JTI/Suspect JTI/Suspect JTI/Suspect Blocked Blocked Blocked Blocked Blocked Blocked Blocked URL www.netflixparty1.com McAfee WebAdvisor URL netflixpartyplus.com McAfee WebAdvisor URL flipshope.com McAfee WebAdvisor URL goscreenshotting.com McAfee WebAdvisor URL langhort.com McAfee WebAdvisor URL Unscart.in McAfee WebAdvisor URL autobuyapp.com McAfee WebAdvisor [McAfee Labs Threat Research Team](https://www.mcafee.com/blogs/author/mcafee-labs/) McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information. ## More from McAfee Labs ----- [Technical Support Scams – What to look out for](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/technical-support-scams-what-to-look-out-for/%20) Authored by Oliver Devane Technical Support Scams have been targeting computer users for many years. Their goal... Aug 02, 2022 | 10 MIN READ [New HiddenAds malware affects 1M+ users and hides on the Google Play Store](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/%20) Authored by Dexter Shin McAfee’s Mobile Research Team has identified new malware on the Google Play Store.... Jul 28, 2022 | 6 MIN READ [Rise of LNK (Shortcut files) Malware](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/%20) Authored by Lakshya Mathur An LNK file is a Windows Shortcut that serves as a pointer to... Jun 21, 2022 | 6 MIN READ ----- [Instagram credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20) Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many... Jun 10, 2022 | 6 MIN READ [Instagram credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20) Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who... Jun 10, 2022 | 4 MIN READ [Phishing Campaigns featuring Ursnif Trojan on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/%20) Authored by Jyothi Naveen and Kiran Raj McAfee Labs have been observing a spike in phishing campaigns... Jun 07, 2022 | 6 MIN READ ----- [Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-elon-musk-speaks-on-cryptocurrency/%20) By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15... May 25, 2022 | 4 MIN READ [Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20) Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events, so... Apr 01, 2022 | 7 MIN READ [Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20) Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions... Mar 10, 2022 | 8 MIN READ ----- [Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20) Authored by Oliver Devane and Vallabh Chole Notifications on Chrome and Edge, both desktop browsers, are commonplace,... Feb 25, 2022 | 5 MIN READ [Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20) In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was... Feb 04, 2022 | 4 MIN READ [HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20) Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,... Dec 13, 2021 | 6 MIN READ ----- -----