Given Google Chromeās popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputableĀ ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.
In this post we look at a forced installation of such an extension that eventually leads to more adverts beingĀ force fedĀ into Chrome. And once you spin theĀ malvertising roulette, anything can happenā¦
Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather thanĀ redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.
This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.
Enticing might in fact be a euphemism, since in this case the user is giving no choice other than āAdd Extension to Leaveā, while their browser is stuckĀ in a never ending loop of fullscreen modes.Ā The tricks used here are very similar to what Pieter Arntz described in his Nov. ā16 blog (Forced into installing a Chrome extension).
Hidden but omnipresent
Once installed, this extension ensures it stays in hiding by usingĀ a 1Ć1 pixel imageĀ as its logo (note the blank space on the top right next to the Chrome menu from the animation below) andĀ by hookingĀ chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected toĀ chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.
The larger one reveals a connection to a command and control server where it can receive instructions on what to do next:
Ad fraud and scams
The perpetrators behind this extension are checking for certain keywords within the current URL and blocking/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to oneĀ of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams.
This blog post wouldnāt be complete without a tech support scam which it seems one canāt avoid these days. If the user clicked on a new tab or typed a āforbiddenā keyword, the redirection chain would then deliver a fake Microsoft warning.
Google Chrome extensions are very powerful programs which are extremely useful in extending the browserās capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick peopleĀ into installing their malicious extension.
If you ever visit family or friends who runĀ Chrome or own a Chromebook, have a check at the installed extensions on their machines, and youāll be surprised by how many shady or flat out fraudulent ones are in there.
In addition to redirecting to bogus sites and junk offers, there are someĀ serious privacy and security implications (Rogue Google Chrome Extension Spies On You) when an extension can read what you type and send this information to criminals.
Google has pulledĀ this bogus extension from its store. If you already have it installed and canāt get rid ofĀ it (it wonāt let you do it the regular way), please download Malwarebytes and run a scan. We detect and remove this one asĀ Rogue.ForcedExtension.