Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Customers

Authored by Oliver Devane and Vallabh Chole 

A couple of months in the past, we blogged about malicious extensions redirecting customers to phishing websites and inserting affiliate IDs into cookies of eCommerce websites. Since that point, we’ve got investigated a number of different malicious extensions and found 5 extensions with a complete set up base of over 1,400,000

The extensions supply numerous performs resembling enabling customers to look at Netflix exhibits collectively, web site coupons, and taking screenshots of a web site. The latter borrows a number of phrases from one other fashionable extension known as GoFullPage 

Aside from providing the supposed performance, the extensions additionally monitor the consumer’s looking exercise.  Each web site visited is distributed to servers owned by the extension creator. They do that in order that they will insert code into eCommerce web sites being visited. This motion modifies the cookies on the location in order that the extension authors obtain affiliate fee for any gadgets bought.    

The customers of the extensions are unaware of this performance and the privateness threat of each web site being visited being despatched to the servers of the extension authors.  

The 5 extensions are  

Identify  Extension ID  Customers 
Netflix Occasion  mmnbenehknklpbendgmgngeaignppnbe  800,000 

Netflix Occasion 2 

flijfnhifgdcbhglkneplegafminjnhn  300,000 

FlipShope – Worth Tracker Extension 


adikhbfjdbjkhelbdnffogkobkekkkej  80,000 

Full Web page Screenshot Seize – Screenshotting 


pojgkmkfincpdkdgjepkmdekcahmckjp  200,000 
AutoBuy Flash Gross sales  gbnahglfafmhaehbdmjedfhdmimjcbed  20,000 


Technical Evaluation 

This part accommodates the technical evaluation of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions carry out related conduct.   



The manifest.json units the background web page as bg.html. This HTML file hundreds b0.js and that is accountable for sending the URL being visited and injecting code into the eCommerce websites. 


The b0.js script accommodates many capabilities. This weblog will give attention to the capabilities that are accountable for sending the visited URLs to the server and processing the response.  

Chrome extensions work by subscribing to occasions which they then use as triggers to carry out a sure exercise. The extensions analyzed subscribe to occasions coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will set off when a consumer navigates to a brand new URL inside a tab.

As soon as this occasion triggers, the extension will set a variable known as curl with the URL of the tab by utilizing the tab.url variable. It creates a number of different variables that are then despatched to The POST information is within the following format:

Variable  Description 
Ref  Base64 encoded referral URL 
County  The county of the machine 
Metropolis  The town of the machine 
Zip  The zip code of the machine 
Apisend  A random ID generated for the consumer. 
Identify  Base64 encoded URL being visited 
ext_name  The title of the chrome extensions 


The random ID is created by choosing 8 random characters in a personality set. The code is proven beneath: 

The nation, metropolis, and zip are gathered utilizing The code is proven beneath: 

Upon receiving the URL, will test if it matches an inventory of internet sites that it has an affiliate ID for, and If it does, it can reply to the question. An instance of that is proven beneath: 

The info returned is in JSON format. The response is checked utilizing the perform beneath and can invoke additional capabilities relying on what the response accommodates. 

Two of the capabilities are detailed beneath: 

Consequence[‘c’] – passf_url 

If the result’s ‘c’ such because the one on this weblog, the extension will question the returned URL. It is going to then test the response and if the standing is 200 or 404, it can test if the question responded with a URL. If it did, it might insert the URL that’s obtained from the server as an Iframe on the web site being visited.  

Consequence[‘e’] setCookie 

If the result’s ‘e’, the extension would insert the end result as a cookie. We have been unable to discover a response of ‘e’ throughout our evaluation, however this could allow the authors so as to add any cookie to any web site because the extensions had the right ‘cookie’ permissions.  

Behavioral stream 

The photographs beneath present the step-by-step stream of occasions whereas navigating to the BestBuy web site.  

  1. The consumer navigates to and the extension posts this URL in a Base64 format to 
  2. responds with “c” and the URL. The “c” means the extension will invoke the perform passf_url() 
  3. passf_url() will carry out a request towards the URL 
  4. the URL queried in step 3 is redirected utilizing a 301 response to with an affiliate ID related to the Extension homeowners 
  5. The extension will insert the URL as an Iframe within the web site being visited by the consumer 
  6. Reveals the Cookie being set for the Affiliate ID related to the Extension homeowners. They may now obtain a fee for any purchases made on  

Here’s a video of the occasions 

Time delay to keep away from automated evaluation 

We found an attention-grabbing trick in a number of of the extensions that may stop malicious exercise from being recognized in automated evaluation environments. They contained a time test earlier than they might carry out any malicious exercise. This was achieved by checking if the present date is > 15 days from the time of set up.  


This weblog highlights the danger of putting in extensions, even those who have a big set up base as they will nonetheless include malicious code.  

McAfee advises its prospects to be cautious when putting in Chrome extensions and take note of the permissions that they’re requesting.   

The permissions shall be proven by Chrome earlier than the set up of the extension. Prospects ought to take additional steps to confirm the authenticity if the extension is requesting permissions that allow it to run on each web site you go to such because the one detailed on this weblog  

McAfee prospects are protected towards the malicious websites detailed on this weblog as they’re blocked with McAfee WebAdvisor as proven beneath.   

The Malicious code inside the extension is detected as JTI/Suspect. Please carry out a ‘Full’ scan through the product.  

Sort  Worth  Product  Detected 
Chrome Extension  Netflix Occasion – mmnbenehknklpbendgmgngeaignppnbe  Whole Safety and LiveSafe  JTI/Suspect 
Chrome Extension  FlipShope – Worth Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej  Whole Safety and LiveSafe  JTI/Suspect 
Chrome Extension  Full Web page Screenshot Seize 


Whole Safety and LiveSafe  JTI/Suspect 
Chrome Extension  Netflix Occasion 2 – flijfnhifgdcbhglkneplegafminjnhn  Whole Safety and LiveSafe  JTI/Suspect 
Chrome Extension  AutoBuy Flash Gross sales  gbnahglfafmhaehbdmjedfhdmimjcbed  Whole Safety and LiveSafe  JTI/Suspect 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 
URL  McAfee WebAdvisor  Blocked 

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here