Jump to content
Donations Read more... ×
We need your help Read more... ×
Sign in to follow this  
Reefa

Chrome Web Store Beset by Spammy Extensions

Recommended Posts

Reefa

Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites.

chrome_extensions.jpg

According to a Barracuda Labs report, the extensions can be found in the official Chrome Web Store. They advertise themselves and operate as games but also require permission to access “your data on all websites,” so that they can inject advertisements into the user’s browser on any website that person visits. All of the allegedly spammy extensions are registered to the same developer organization: www.konplayer[.]com.

Threatpost attempted to reach out to the people responsible for developing the extensions but was not able to. It appears that some of Konplayer’s extensions have been removed from the Chrome Web Store.

You can see a list of affected websites in the following graphic:

Screen-Shot-2014-02-04-at-11.43.23-AM.pn

The malicious JavaScript responsible for injecting advertisements isn’t contained directly within the extensions themselves. Instead, the extensions contain a reference URL to www[.]chromeadserver[.]com, which contains the malicious JavaScript. As researcher Jason Ding notes, that domain is made to appear as if it is owned and operated by Google but, of course, it is not.

Barracuda Labs then downloaded and decoded the JavaScript contained on URL referenced above. At first the code seemed benign, but a closer examination revealed that it was responsible for injecting banner advertisements in various positions on popular websites visited by users that had downloaded one of the spam extensions.

The code used by these extensions is similar to the code used by a group of scammers examined in a prior report issued by Baracuda Labs. Ding believes that the group responsible for Konplayer[.]com is the same group that once distributed their malicious extensions from Playook.info.

The graph below contains the names of the allegedly malicious extensions:

Screen-Shot-2014-02-04-at-11.44.56-AM.pn

Source

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×