{
	"id": "31909a44-d079-4b35-97de-426420724d9c",
	"created_at": "2026-04-06T00:21:10.579388Z",
	"updated_at": "2026-04-10T03:23:52.143868Z",
	"deleted_at": null,
	"sha1_hash": "9eff7518fefc879db06f645293559c8b1eb9b473",
	"title": "The Case for Limiting Your Browser Extensions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1273717,
	"plain_text": "The Case for Limiting Your Browser Extensions\r\nPublished: 2020-03-06 · Archived: 2026-04-05 19:25:32 UTC\r\nLast week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was\r\nflagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized\r\ncode. An investigation determined it was injected by a browser extension installed on the computer of a Blue\r\nShield employee who’d edited the Web site in the past month.\r\nThe incident is a reminder that browser extensions — however useful or fun they may seem when you install them\r\n— typically have a great deal of power and can effectively read and/or write all data in your browsing sessions.\r\nAnd as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising\r\nfirms, or in some cases abandon them to outright cybercriminals.\r\nThe health insurance site was compromised after an employee at the company edited content on the site while\r\nusing a Web browser equipped with a once-benign but now-compromised extension which quietly injected code\r\ninto the page.\r\nThe extension in question was Page Ruler, a Chrome addition with some 400,000 downloads. Page Ruler lets\r\nusers measure the inch/pixel width of images and other objects on a Web page. But the extension was sold by the\r\noriginal developer a few years back, and for some reason it’s still available from the Google Chrome store despite\r\nmultiple recent reports from people blaming it for spreading malicious code.\r\nHow did a browser extension lead to a malicious link being added to the health insurance company Web site? This\r\ncompromised extension tries to determine if the person using it is typing content into specific Web forms, such as\r\na blog post editing system like WordPress or Joomla.\r\nIn that case, the extension silently adds a request for a javascript link to the end of whatever the user types and\r\nsaves on the page. When that altered HTML content is saved and published to the Web, the hidden javascript code\r\ncauses a visitor’s browser to display ads under certain conditions.\r\nWho exactly gets paid when those ads are shown or clicked is not clear, but there are a few clues about who’s\r\nfacilitating this. The malicious link that set off antivirus alarm bells when people tried to visit Blue Shield\r\nCalifornia downloaded javascript content from a domain called linkojager[.]org.\r\nThe file it attempted to download — 212b3d4039ab5319ec.js — appears to be named after an affiliate\r\nidentification number designating a specific account that should get credited for serving advertisements. A simple\r\nhttps://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nPage 1 of 5\n\nInternet search shows this same javascript code is present on hundreds of other Web sites, no doubt inadvertently\r\npublished by site owners who happened to be editing their sites with this Page Ruler extension installed.\r\nIf we download a copy of that javascript file and view it in a text editor, we can see the following message toward\r\nthe end of the file:\r\n[NAME OF EXTENSION HERE]’s development is supported by advertisements that are added to\r\nsome of the websites you visit. During the development of this extension, I’ve put in thousands of hours\r\nadding features, fixing bugs and making things better, not mentioning the support of all the users who\r\nask for help.\r\nAds support most of the internet we all use and love; without them, the internet we have today would\r\nsimply not exist. Similarly, without revenue, this extension (and the upcoming new ones) would not be\r\npossible.\r\nYou can disable these ads now or later in the settings page. You can also minimize the ads appearance\r\nby clicking on partial support button. Both of these options are available by clicking \\’x\\’ button in the\r\ncorner of each ad. In both cases, your choice will remain in effect unless you reinstall or reset the\r\nextension.\r\nThis appears to be boilerplate text used by one or more affiliate programs that pay developers to add a few lines of\r\ncode to their extensions. The opt-out feature referenced in the text above doesn’t actually work because it points to\r\na domain that no longer resolves — thisadsfor[.]us. But that domain is still useful for getting a better idea of what\r\nwe’re dealing with here.\r\nRegistration records maintained by DomainTools [an advertiser on this site] say it was originally registered to\r\nsomeone using the email address frankomedison1020@gmail.com. A reverse WHOIS search on that unusual\r\nname turns up several other interesting domains, including icontent[.]us.\r\nicontent[.]us is currently not resolving either, but a cached version of it at Archive.org shows it once belonged to\r\nan advertising network called Metrext, which marketed itself as an analytics platform that let extension makers\r\ntrack users in real time.\r\nhttps://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nPage 2 of 5\n\nAn archived copy of the content once served at icontent[.]us promises “plag’n’play” capability.\r\n“Three lines into your product and it’s in live,” iContent enthused. “High revenue per user.”\r\nAnother domain tied to Frank Medison is cdnpps[.]us, which currently redirects to the domain\r\n“monetizus[.]com.” Like its competitors, Monetizus’ site is full of grammar and spelling errors: “Use Monetizus\r\nSolutions to bring an extra value to your toolbars, addons and extensions, without loosing an audience,” the\r\ncompany says in a banner at the top of its site.\r\nBe sure not to “loose” out on sketchy moneymaking activities!\r\nhttps://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nPage 3 of 5\n\nContacted by KrebsOnSecurity, Page Ruler’s original developer Peter Newnham confirmed he sold his extension\r\nto MonetizUs in 2017.\r\n“They didn’t say what they were going to do with it but I assumed they were going to try to monetize it somehow,\r\nprobably with the scripts their website mentions,” Newnham said.\r\n“I could have probably made a lot more running ad code myself but I didn’t want the hassle of managing all of\r\nthat and Google seemed to be making noises at the time about cracking down on that kind of behaviour so the one\r\noff payment suited me fine,” Newnham said. “Especially as I hadn’t updated the extension for about 3 years and\r\nwork and family life meant I was unlikely to do anything with it in the future as well.”\r\nMonetizus did not respond to requests for comment.\r\nNewnham declined to say how much he was paid for surrendering his extension. But it’s not difficult to see why\r\ndevelopers might sell or lease their creation to a marketing company: Many of these entities offer the promise of a\r\nhefty payday for extensions with decent followings. For example, one competing extension monetization platform\r\ncalled AddonJet claims it can offer revenues of up to $2,500 per day for every 100,000 user in the United States\r\n(see screenshot below).\r\nRead here how its work!\r\nI hope it’s obvious by this point, but readers should be extremely cautious about installing extensions — sticking\r\nmainly to those that are actively supported and respond to user concerns. Personally, I do not make much use of\r\nhttps://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nPage 4 of 5\n\nbrowser extensions. In almost every case I’ve considered installing one I’ve been sufficiently spooked by the\r\npermissions requested that I ultimately decided it wasn’t worth the risk.\r\nIf you’re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going\r\nforward. Given the high stakes that typically come with installing an extension, consider carefully whether having\r\nthe extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems\r\nlike WordPress and Joomla.\r\nDo not agree to update an extension if it suddenly requests more permissions than a previous version. This should\r\nbe a giant red flag that something is not right. If this happens with an extension you trust, you’d be well advised to\r\nremove it entirely.\r\nAlso, never download and install an extension just because some Web site says you need it to view some type of\r\ncontent. Doing so is almost always a high-risk proposition. Here, Rule #1 from KrebsOnSecurity’s Three Rules of\r\nOnline Safety comes into play: “If you didn’t go looking for it, don’t install it.” Finally, in the event you do wish\r\nto install something, make sure you’re getting it directly from the entity that produced the software.\r\nGoogle Chrome users can see any extensions they have installed by clicking the three dots to the right of the\r\naddress bar, selecting “More tools” in the resulting drop-down menu, then “Extensions.” In Firefox, click the three\r\nhorizontal bars next to the address bar and select “Add-ons,” then click the “Extensions” link on the resulting page\r\nto view any installed extensions.\r\nSource: https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nhttps://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/"
	],
	"report_names": [
		"the-case-for-limiting-your-browser-extensions"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9eff7518fefc879db06f645293559c8b1eb9b473.pdf",
		"text": "https://archive.orkl.eu/9eff7518fefc879db06f645293559c8b1eb9b473.txt",
		"img": "https://archive.orkl.eu/9eff7518fefc879db06f645293559c8b1eb9b473.jpg"
	}
}