It has been discovered by researchers that more than 1.4 million devices have loaded a suite of malicious Google Chrome extensions created to track surfing activity.
According to a blog post by security firm McAfee, the scam works by having the operator of an ecommerce website change the victim’s browser cookies whenever the victim makes a purchase.
McAfee reports that the remaining Netflix Party extensions are still available for download, despite the removal of two of them from the official extension marketplace.
Chrome malware
Malicious Chrome extensions aren’t designed to exfiltrate personal data or install malware, but they still violate privacy.
As seen by the rise of VPN services and other ways to hide web activity, modern web users are unwilling to share their surfing data, especially in these conditions.
The fact that the extensions all serve a valid purpose makes this fraud tough to notice. They’re also well-reviewed, so potential victims don’t notice the fraud.
McAfee said the extensions let users watch Netflix together, get coupons, and take screenshots.
“Chrome extensions users are unaware of [the dangerous functionality] and the privacy risk of every visited site being communicated to extension authors’ servers.”
To avoid identification by analysts, the operators built some extensions to alter browser cookies weeks after installation.
Chrome users with the harmful extensions should uninstall them manually.
Malware list:
- Netflix Party
- Netflix Party 2
- FlipShope – Price Tracking Extension
- Full Page Screenshot Capture – Screenshotting
- AutoBuy Flash Sales