KnowBe4 Security Awareness Training Blog

Don't Let Your Users Download Malicious Chrome Extensions

Written by Stu Sjouwerman | Sep 25, 2019 10:46:08 AM

Here's a relatively "innocent" example of this risk. The ‘AdBlock’ and ‘uBlock’ look just like legitimate Chrome extensions but instead engage in cookie stuffing to defraud affiliate marketing programs, a researcher has found.

Google has removed two malicious ad blockers from its Chrome Web Store after a researcher discovered they were carrying out ad fraud and deceived Chrome users by using names of legitimate and popular blockers.

Researcher Andrey Meshkov from rival ad blocker maker AdGuard discovered that the extensions “AdBlock” and “uBlock” found in the store were fraudulent and alerted users in a blog post. Rather than legitimately block ads on websites—the obvious purpose of this type of browser extension–the malicious blockers perform what’s called “cookie stuffing,” Meshkov said.

In this technique—which has been used since the internet’s early days–a website or browser extension adds extra information to a user’s cookie so it looks like more people clicked on an affiliate ad than actually did. Cybercriminals use cookie stuffing to win money through ad fraud.

By using fake ad blockers, cybercriminals can earn commission on purchases made on sites stuffed with the cookies, Meshkov said. What’s especially difficult in terms of preventing this type of ad fraud is that it’s difficult for users downloading fraudulent adblockers to tell the difference from legitimate ones, he said.

A much more malicious form of this is social engineering users to download Trojans and other backdoors via sideloading, or potentially a site that looks just like the Chrome Web Store. We strongly recommend locking down Chrome and whitelist the only allowed extensions.  Full story at ThreatPost. 

https://threatpost.com/malicious-ad-blockers-for-chrome-caught-in-ad-fraud-scheme/148591/