Website Uses “Add Extension to Leave” Popups to Infect Chrome Users

Given Google Chromeā€™s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputableĀ ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.

In this post we look at a forced installation of such an extension that eventually leads to more adverts beingĀ force fedĀ into Chrome. And once you spin theĀ malvertising roulette, anything can happenā€¦

Malvertising campaign

Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather thanĀ redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.

This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.

Enticing might in fact be a euphemism, since in this case the user is giving no choice other than ā€œAdd Extension to Leaveā€œ, while their browser is stuckĀ in a never ending loop of fullscreen modes.Ā The tricks used here are very similar to what Pieter Arntz described in his Nov. ā€™16 blog (Forced into installing a Chrome extension).

Hidden but omnipresent

Once installed, this extension ensures it stays in hiding by usingĀ a 1Ɨ1 pixel imageĀ as its logo (note the blank space on the top right next to the Chrome menu from the animation below) andĀ by hookingĀ chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected toĀ chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.

The real bad stuff is buried into a couple of obfuscated JavaScript files:

The larger one reveals a connection to a command and control server where it can receive instructions on what to do next:

Ad fraud and scams

The perpetrators behind this extension are checking for certain keywords within the current URL and blocking/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to oneĀ of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams.

This blog post wouldnā€™t be complete without a tech support scam which it seems one canā€™t avoid these days. If the user clicked on a new tab or typed a ā€˜forbiddenā€™ keyword, the redirection chain would then deliver a fake Microsoft warning.

Extension woes

Google Chrome extensions are very powerful programs which are extremely useful in extending the browserā€™s capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick peopleĀ into installing their malicious extension.

If you ever visit family or friends who runĀ Chrome or own a Chromebook, have a check at the installed extensions on their machines, and youā€™ll be surprised by how many shady or flat out fraudulent ones are in there.

In addition to redirecting to bogus sites and junk offers, there are someĀ serious privacy and security implications (Rogue Google Chrome Extension Spies On You) when an extension can read what you type and send this information to criminals.

Google has pulledĀ this bogus extension from its store. If you already have it installed and canā€™t get rid ofĀ it (it wonā€™t let you do it the regular way), please download Malwarebytes and run a scan. We detect and remove this one asĀ Rogue.ForcedExtension.