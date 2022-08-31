The extensions that can be installed in Google Chrome are very useful for most users on a daily basis. But also They can be a tool to access your personal data. In this case, a recent investigation by McAfee has revealed five extensions that are malicious and that it is recommended to uninstall.

These five extensions have raised alarm bells because of their performance and also because they have had 1.4 million downloads globally. In a global form their mission is to monitor the activity that users have when browsing the internet and modify your cookies to add a referral link.

How these extensions work

It is known by all that any professional person can get a commission for buying on websites like Amazon if they follow an affiliate link. That is why attackers use these extensions to automatically insert your affiliate in these links of Amazon or other stores to generate economic return.

The investigation has determined that the affected extensions are 5, and they have had a global download of 1.4 million. The list is as follows:

Netflix Party – 800.000 descargas

Netflix Party 2 – 300.000 descargas

Full Page Screenshot Capture ? Screenshotting – 200.000 descargas

FlipShope ? Price Tracker Extension – 80 000 descargas

AutoBuy Flash Sales – 20,000 downloads

In this case all the extensions have a similar operation. When installing it in Chrome a multifunctional script is loaded that sends all browsing data to a domain controlled by the attacker. This information includes the URL being visited, the user ID and also the location.

If the URL of this website matches any of the websites that have affiliates, the server will respond by inserting the URL with the attacker’s affiliate, and you can also modify cookies. Undoubtedly, this is something that does not seek to block the browser or slow it down, but to get economic performance from your visits to Amazon, Ebay or any other store that offers affiliates.

In the following video McAfee wanted to show in much more detail how these extensions work.

Obviously, they are always interested in going completely unnoticed, and that is why the developers set a delay time to start operating. This is from 15 days and it will be from here when the activity of sending all the navigation data begins and URL spoofing. Given this, the recommendation that is always given is to avoid downloading extensions if they are not known developers.