Malicious Cookie Stuffing by Chrome Extensions

VTA-00422 – Malicious Cookie Stuffing by Chrome Extensions

Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users’ browsing activity and profit of retail affiliate programs. The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased. Also, they have an interesting way of dodging detection by delaying the “attack” by 15 days after the first installation. 


Technical and Business Impact Analysis_MSSQL Servers

Attack Surfaces:
Web Browser

Collection, Defense Evasion

Application Layer Protocol, Masquerading, Automated Collection, Browser Extension, System Time Discovery

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Baseline, Network Monitoring, Software Manipulation, System Activity Monitoring

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules. 
2. Always analyze the authenticity of permission request by web extension.
3. Make sure the developer/publisher has a clean record.
4. It is important to review the extensions’s privacy policies and how they collect data.
5. Ensure that the installed extensions are reviewed on a periodic basis.

Contributed by:  aman

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>