Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads

Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads

Extensions for Google’s Chrome browser have to work within certain restrictions, but that hasn’t stopped people from sneaking in malicious features. Researchers from security firm ICEBRG report finding a cluster of scam extensions in the Google Web Store with a combined download figure of more than 500,000. Google has removed the extensions, but the creators of these extensions probably still made a mountain of cash from the scheme.

According to ICEBRG, it first became aware of the dangerous extensions after finding a suspicious spike in outbound network traffic on a client’s machine. The team tracked that to an extension called Change HTTP Request Header running a hidden a click-fraud package. As the user goes about his or her business, the extension reaches out to a control server to generate money by clicking ads. The control server actually uses the victim’s computer as a proxy to make it look like a person is clicking the ads and affiliate links that benefit the extension owners. That’s why the extensions generate so much suspicious outbound traffic.

ICEBRG eventually found three more extensions doing the same thing: Nyoogle, Stickies, and Lite Bookmarks. Of the extensions found, Nyoogle had by far the most downloads at more than 500,000 (it promised custom Google logos). The others, including the extension that tipped off ICEBRG, were very small by comparison.

Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads

By default, Chrome extensions can only run JavaScript contained within the JSON in the Web Store. That means Google’s security measures can catch malicious behavior. However, developers can enable JSON download capabilities in their extensions. In this case, the developers loaded the extension with new code to generate fake clicks. ICEBRG notes that the extensions could have been used to steal data or probe networks for other vulnerabilities. However, the goal of this scheme was apparently to go unnoticed and make as much money as possible.

Google has removed the offending extensions from the store and blocked the developer accounts. Chrome has a reputation for being one of the most secure browsers in the world. It gets frequent updates to patch security holes, and the browser processes are sandboxed from the system. The issue isn’t so much with Chrome itself as it is with extensions in general. Any browser that allows users to run third-party code will be potentially vulnerable to attack. The best course of action is to limit the extensions you run to those from Google and other developer accounts you trust.

Continue reading

Windows 10 Will Make Flash Removal Mandatory This Summer
Windows 10 Will Make Flash Removal Mandatory This Summer

Flash has been phased out in most ways that matter, but there's one more nail being pounded into Flash's coffin, courtesy of Microsoft. Soon, Windows 10 will make Flash removal mandatory.

Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks
Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks

This does not clear WD of wrongdoing. If anything, it's even worse.

Google, Apple Cave to Russian Government Pressure, Remove Navalny Voting App
Google, Apple Cave to Russian Government Pressure, Remove Navalny Voting App

That means citizens who have not already downloaded the app will find it much harder (or impossible) to get it, and the opposition's efforts to gain ground against Putin's United Russia party could suffer.

Windows 11 SE Will Only Be Available on New PCs, Can’t Be Reinstalled if Removed
Windows 11 SE Will Only Be Available on New PCs, Can’t Be Reinstalled if Removed

Microsoft's new stripped-down OS will only be sold on new devices, and if you try to "upgrade" the OS, the chances of getting 11 SE back onto the device in the future are slim.