{"id":6706,"date":"2017-02-21T10:10:01","date_gmt":"2017-02-21T18:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/21\/news-523\/"},"modified":"2017-02-21T15:02:54","modified_gmt":"2017-02-21T23:02:54","slug":"news-523","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/21\/news-523\/","title":{"rendered":"Rogue Chrome extension pushes tech support scam"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 21 Feb 2017 17:22:42 +0000<\/strong><\/p>\n

Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable\u00a0ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.<\/p>\n

In this post we look at a forced installation of such an extension that eventually leads to more adverts being\u00a0force fed\u00a0into Chrome. And once you spin the\u00a0malvertising roulette, anything can happen…<\/p>\n

Malvertising campaign<\/h3>\n

Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than\u00a0redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.<\/p>\n

\"\"<\/a><\/p>\n

This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.<\/p>\n

Enticing might in fact be a euphemism, since in this case the user is giving no choice other than “Add Extension to Leave<\/strong><\/em>“, while their browser is stuck\u00a0in a never ending loop of fullscreen modes.\u00a0The tricks used here are very similar to what Pieter Arntz<\/a> described in his Nov. ’16 blog (Forced into installing a Chrome extension<\/em><\/a>).<\/p>\n

\"\"<\/p>\n

Hidden but omnipresent<\/h3>\n

Once installed, this extension ensures it stays in hiding by using\u00a0a 1×1 pixel image\u00a0as its logo (note the blank space on the top right next to the Chrome menu from the animation below) and\u00a0by hooking\u00a0chrome:\/\/extensions<\/em> and chrome:\/\/settings<\/em> such that any attempt to access those is automatically redirected to\u00a0chrome:\/\/apps<\/em>. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.<\/p>\n

\"\"<\/p>\n

The real bad stuff is buried into a couple of obfuscated JavaScript files:<\/p>\n

\"\"<\/p>\n

The larger one reveals a connection to a command and control server where it can receive instructions on what to do next:<\/p>\n

\"\"<\/a><\/p>\n

Ad fraud and scams<\/h3>\n

The perpetrators behind this extension are checking for certain keywords within the current URL and blocking\/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to one\u00a0of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams.<\/p>\n

\"\"<\/p>\n

This blog post wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a fake Microsoft warning.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Extension woes<\/h3>\n

Google Chrome extensions are very powerful programs which are extremely useful in extending the browser’s capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick people\u00a0into installing their malicious extension.<\/p>\n

If you ever visit family or friends who run\u00a0Chrome or own a Chromebook, have a check at the installed extensions on their machines, and you’ll be surprised by how many shady or flat out fraudulent ones are in there.<\/p>\n

In addition to redirecting to bogus sites and junk offers, there are some\u00a0serious privacy and security implications (Rogue Google Chrome Extension Spies On You<\/em><\/a>) when an extension can read what you type and send this information to criminals.<\/p>\n

\"\"<\/p>\n

Google has pulled\u00a0this bogus extension from its store. If you already have it installed and can’t get rid of\u00a0it (it won’t let you do it the regular way), please download Malwarebytes and run a scan. We detect and remove this one as\u00a0Rogue.ForcedExtension<\/em>.<\/p>\n

IOCs<\/h3>\n

Fake extension:<\/em><\/u>
pakistance.club<\/em>
lfbmleejnobidmafhlihokngmlpbjfgo<\/em><\/p>\n

Backend server (ad fraud\/malvertising):<\/em><\/u>
amserver.info<\/em>
qma0.2dn.xyz<\/em><\/p>\n

Tech support scam:<\/em><\/u>
microsoft-official-warning.info<\/em><\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 21 Feb 2017 17:22:42 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Google Chrome may be one of the more secure browsers but an increasing number of malicious extensions are being forced onto users. The one we analyze can hide itself and receive commands from a remote server in order to hijack the browser with incessant offers, fraud and even tech support scams.<\/p>\n

Categories: <\/p>\n