Affiliate rip-off through Chrome browser add-ons

McAfee’s IT security experts have identified five Chrome add-ons that manipulate browser data and operate affiliate rip-offs. In total, they were installed 1.4 million times.


As employees of the US IT security company McAfee have discovered, five malicious browser extensions for Google Chrome are in circulation, which have a total of 1.4 million installations. The add-ons in question branch off data in the browser, manipulate it and push cookies onto users, which bring in affiliate income for the programmers.


Browser extensions with malicious add-on functionality

The affected add-ons are a total of five browser extensions for Google Chrome. They sell voucher codes, allow screenshots of websites or offer to watch Netflix together with other users. In the respective descriptions in the web store, the extension programmers sometimes bait with texts of popular add-ons with the functions mentioned.

The extensions not only do what they promise – they also track the surfing behavior of the users. Every website visited ends up on the programmers’ servers. According to the McAfee experts, they want to use this to incorporate their own code into the eCommerce websites they visit.


How it works

In order to reach their destination, the add-ons send the URL of the visited website to a server of its developers. This looks up whether it has an affiliate ID for the website. If so, it sends back an address. The add-on then builds this address into the website as an iframe and sets the cookie with the fraudster’s affiliate ID. Once this has happened, they will receive an unfair commission for each subsequent purchase made on that website.

In order to avoid the discovery of this “additional function” through automatisms, some add-on programmers build in delays. The add-ons only set the wrong cookies around 15 days after installation – before that they remain unsuspicious.


Recommendations for action

Chrome users should check whether they have one of the following five browser extensions installed and uninstall them quickly if necessary:

Name Extension ID Number of installations
AutoBuy Flash Sales gbnahglfafmhaehbdmjedfhdmimjcbed 20,000
FlipShope – Price Tracker Extension adikhbfjdbjkhelbdnffogkobkekkkej 80,000
Full Page Screenshot Capture – Screenshotting pojgkmkfincpdkdgjepkmdekcahmckjp 200,000
Netflix Party mmnbenehknklpbendgmgngeaignppnbe 800,000
Netflix Party 2 flijfnhifgdcbhglkneplegafminjnhn 300,000

Source: McAfee