Skip navigation
← Back to Index

Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

by Jamila Kaya and Jacob Rickerd

00. Introduction

Cisco’s Duo Security released CRXcavator, our automated Chrome extension security assessment tool, for free last year in order to reduce the risk that Chrome extensions present to organizations and to enable others to build on our research to create a safer Chrome extension ecosystem for all.

In a perfect example of the research we hoped to facilitate, security researcher Jamila Kaya (@bumblebreaches) used CRXcavator to uncover a large scale campaign of copycat Chrome extensions that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store. Duo, Jamila, and Google worked together to ensure these extensions, and others like them, were promptly found and removed.

01. A New Campaign

Jamila contacted Duo about a variety of Chrome extensions she identified to be operating in a manner that initially seemed legitimate. Upon further investigation, they were found to infect users’ browsers and exfiltrate data as part of a larger campaign.

These extensions were commonly presented as offering advertising as a service. Jamila discovered they were part of a network of copycat plugins sharing nearly identical functionality. Through collaboration, we were able to take the few dozen extensions and utilize to identify 70 matching their patterns across 1.7 million users and escalate concerns to Google.

Google was receptive and responsive to the report. Once the report was submitted, they worked to validate the findings and went on to fingerprint the extensions. This allowed Google to search the entire Chrome Web Store corpus to discover and remove more than 500 related extensions.

**_“We appreciate the work of the research community, and when we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses,”_ said a Google spokesperson. _“We do regular sweeps to find extensions using similar techniques, code, and behaviors, and take down those extensions if they violate our policies.”_**

02. Malvertising on the Rise

Increasingly malicious actors will use legitimate internet activity to obfuscate their exploit droppers or command and control schemas. A very popular way to do this is to utilize advertising cookies and the redirects therein to control callbacks and evade detection. This technique, called “malvertising” has become an increasingly common infection vector in Jamila's experience, and is still hard to detect today, despite being prominent for years.

Malvertising often occurs within other programs, acting as a vehicle for multiple forms of fraudulent activity, including ad-fraud, data exfiltration, phishing, and monitoring and exploitation. Alternatively, it also emerges in multipart malicious campaigns that involve advertising collection and defraudment.

This is evident in recent write-ups on independent malvertising and multi-part malvertising campaigns including the below examples such as the 3VE campaign and the more recent Fake JQuery campaign.

The prominence of malvertising as an attack vector will continue to rise as long as tracking-based advertising remains ubiquitous, and particularly if users remain underserved by protection mechanisms.

03. Bad Behavior

Browser extensions have been known as a weak point for individual security and privacy, due to their potential for misuse under the general guise of helpful applications.

In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms. While this research and CRXcavator's analysis in general can help us understand a lot about the architecture and operation of such malicious extensions, the question of how the extensions got to be installed on any system is not one we have the data to answer at this time.

To break down how this occurs, Jamila mapped out a few key functions of the architecture that this singular threat actor was utilizing for at least the last 1-2 years, with potential activity dating back to the early 2010’s.

Jamila then compared her findings on to take note of additional patterns. The main site is referenced via the description and is always the exact name of the plugin, just with a “.com.” No contact information or support information is explicitly listed in any of these extensions either.

The plugins have almost no ratings, and the source code of the plugins are nearly identical to each other. The only substantial differences in the source code are the names of the functions. With a much larger number than similar plugins and services, it’s likely that a single change of all the function names reduces the similarity to other plugins enough to avoid detection mechanisms.

This similarity is shown below in comparing the code between two plugins, MapsTrek Promos and CrushArcade Advertisements. The code on the left from CrushArcade references the same C2 sites but adjust to reference a “CA” network (Crush Arcade) and is under the name adapt_timetable.js, while the one on the right references “MT” (MapsTrek) and is called addition_thread.js. Here the version is seen as incredibly similar in notation — the code versioning for these plugins is always four sections in length.

The level of permissions requested on each plugin is similarly high and is identical between them, allowing it to access a large amount of data in the browser. In addition, the external sites contacted are identical between all the plugins involved, with the exception of the plugin “front” site.

Once on the users browser, the plugin will call out to the site referenced by its name, Mapstrek<dot>com, ArcadeYum<dot>com, or the like (partial list in the IOC document), and do so on regular intervals to receive instruction as to whether to uninstall or not. Sandboxes report that trying to navigate to each of the plugin sites immediately takes them to a gdprcountryrestriction<dot>com site, to which impacted users are not taken. This could indicate that the plugin is attempting to appear legitimate and obfuscate its behavior from sandboxes.

Once the impacted user’s machine makes contact with the plugin site, it will move onto the hard-coded “acctrDomains” referenced in the above code, of which there are three. Only one of these is used, and it is almost always the first in the series, DTSINCE<dot>com. These operate as command and control domains and the user’s host regularly checks in at an asynchronous interval to the other domains to receive new instructions, locations to upload data, and new domain and feed lists for advertisements and future redirects.

Above is an example of the communications that a host receives from the command sites pulled from memory on an impacted host.

Once the impacted host has the new directions, they do three or more operations: upload requested data, update config, and get sent through a redirection stream.

The upload is made to data<dot>multitext<dot>com, identified as the data exchange domain in transactions. This data exchange includes but is not limited to various usage, time, idle activity, tracking, and browser activity and statistics, sometimes in mimicry to advertising, but of course without general consent.

The app config update seems to occur either at the control domains or at dmnsg<dot>com as pulled from a settle_signal.js on an impacted host.

The primary malicious activity and ad fraud occurs through the redirection streams. Host sites owned by the actor are listed in the above screenshots, all named similarly and (almost all) hosted in AWS. General variants of words like “RandomDomain” but without the vowels, they are easily recognized as human-created words that have been obfuscated by machine operations.

The user regularly receives new redirector domains, as they are created in batches, with multiple of the earlier domains being created on the same day and hour. They all operate in the same way, receiving the signal from the host and then sending them to a series of ad streams, and subsequently to legitimate and illegitimate ads. Some of these are listed in the “End domains” section of the IOCs, though they are too numerous to list.

A large portion of these are benign ad streams, leading to ads such as Macy’s, Dell, or Best Buy. What differentiates it as malvertising and ad fraud rather than legitimate advertising is the large volume of ad content shown, the fact that the user does not see many if not the majority of these ads, and the fact that malicious third-party actors are actively using these streams to redirect the user to malware and phishing. This is evidenced by “End Domains” sites such as sponsergift<dot>pro, usapremiumclub (and associated “usa” sites), jenrx2u<dot>com, and 3f6i9<dot>com. Some of these ads could be considered legitimate; however, 60 to 70 percent of the time a redirect occurs, the ad streams reference a malicious site.

Additionally, some of the malicious domains occur multiple times between disparate users and in Jamila’s research, have never been seen to occur with other plugins or ad streams. While the primary intention of the the plugin at this point is still to cycle through the redirection streams in order to generate ad revenue, users are exposed to additional risk of infection or phishing through these redirects. The volume of the redirects will oscillate from 7 to 10 to more than 30.

At this point, if the user does not regularly check their plugins, it continues to collect data and generate internal revenue on the user’s machine largely undetected.

After investigating the components owned by this actor, it appears that though the ultimate registrant is always obfuscated, they seem to actively maintain the plugin sites, control sites, and redirector sites. The upload and config sites may or may not be controlled directly by the actor, but it is worth noting they also redirect to the same gdprcountryrestriction<dot>com when run through sandboxes.

At the time of discovery, very few threat intelligence vendors have explicitly categorized any part of this infrastructure as malicious or phishing. An exception to this is the state of Missouri, which listed DTSINCE<dot>com as phishing without context at the beginning of the year.

After threat hunting with open resources, Jamila was also able to discover direct malware tied to these plugin sites, likely operating under a different design and function but for the same user. Two are directly tied to Mapstrek<dot>com and Arcadeyum<dot>com. While lacking a lot of the IOCs from the plugin architecture, they contain similarities to each other, including references to the same domains.

Additionally, searching for these indicators through proprietary sandboxes pulled multiple instances of malware tied to the Arcadeyum site as well as to the redirector domains. Some of the hashes found here, such as “68707cfc2c7bfe721e22f681c86480c012ce7b28f442c2e0090fde95663b6f13” are classified in VirusTotal as related to the GameVance PUP software/adware.

This tie-in, as well as the plugin proliferation, suggests that potentially this actor has been operating for a while and has continued to grow while avoiding detection.

In all instances of impacted users, no trace of Gamevance or other arcade software was found or visited. This particular association may be tangential.

04. Turning Back the Clock

Based upon Jamila’s observation at the time of her research, the actor had been active for at least eight months, since January of 2019, and had grown rapidly in activity thereafter, especially from March through June of 2019 — with dozens of new variant plugins released and new domains and infrastructure being stood up monthly. It is possible that this actor has been active much longer than this, as some malware and domains associated with the traffic were registered in 2018 and 2017.

Multiple portions of the architecture to support this plugin network were created on the same day or month, with new components, such as redirector domains, released in chunks.

The instruction domains seem to have been created June 23, 2017, so that is likely the start of this particular behavior.

The redirector domains were created at various times, with multiple created in pairs or around similar times, such as:

New redirector domains were created as recently as mid-April. Recently, the redirector domains have been increasingly leased from non-AWS hosters, whereas the early domains were almost exclusively AWS hosted.

The recent domains, also with the variance, seem to have left some level of information in the registrar fields, and some of the redirector domain updated in March left non-obfuscated email addresses in the registration fields. A reverse DNS lookup indicates registrations of many potential phishing sites, but not enough investigation was done to fully attribute this.

05. CRXcavator

Duo was excited to be able to work with Jamila on these findings. Much of this data was able to be gathered using CRXcavator, Duo’s free automated Chrome extension security assessment tool.

Duo’s mission has always been to democratize security, and we felt no different about Chrome extensions. CRXcavator empowers organizations to assess potential risks an extension may pose to decide whether or not to allow it to be installed on their users’ endpoints. Browser-extension security expert or not, anyone can use CRXcavator to empower organizations of any size to stay secure. To learn more about the tool, check out the CRXcavator release blog post.

06. A Brighter Future Ahead

Google has implemented new user data privacy policy and secure handling requirements. These new guidelines require all extensions that handle user data to have a privacy policy, gain consent from the user, and only use the minimum required amount of permissions. To help with enforcement, Google has also implemented the Developer Data Protection Reward Program which will pay out bounties to people who find extensions that are violating this policy. Combined with the upcoming Manifest V3, these steps demonstrate that Google has been taking user privacy seriously and are making great strides to ensure the security of their user base.

07. Conclusion

The outcome of Jamila’s research, with collaboration from Duo and Google, demonstrates both the increasing real world risk of Chrome extensions and the utility of CRXcavator as a tool to aid researchers in finding vulnerabilities like this. Collectively, we identified 500 Chrome extensions that infected users’ browsers and were consequently removed from the Web Store. More than 1.7 million users were affected which indicates the scale at which browser extensions when used as an attack vector can impact end users. As part of good security hygiene, we recommend users regularly audit what extensions they have installed, remove ones they no longer use, and report ones they do not recognize. Being more mindful and having access to more easily accessible information on extensions can help keep both enterprises and users safe.

08. Indicator Index

IOC Type Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain
gamedaddio Plugin Domain Plugin Domain
Froovr Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Plugin Domain Control Domain Control Domain Control Domain Deterministic Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Redirector Domain Local Storage Exfil Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain End Domain
.com TLD
.net TLD
.pro TLD
.vip TLD
PackageTrak Promos Plugin Name
ProMediaConverter Promotions Plugin Name
EasyToolOnline Promos Plugin Name
CrushArcade Ads Plugin Name
GreatArcadeHits Ads Plugin Name
ArcadeFrontier Ads Plugin Name
MapsFrontier Advertising Plugin Name
SuperSimpleTools Promos Plugin Name
Advertisements by ArcadeYum Plugin Name
PackTrackPlus Promos Plugin Name
EasyToolOnline Promos Plugin Name
PlayPopGames Ads Plugin Name
QuickNewsPlus Promos Plugin Name
GameZooks Advertisements Plugin Name
PackTrackPlus Promotions Plugin Name
PackTrackPlus Promotions Plugin Name
MapsFrontier Advertisement Offers Plugin Name
ExpressDirections Promos Plugin Name
MapsTrek Promos Plugin Name
ClassifiedsNearMe Promos Plugin Name
MapsTrek Promos Plugin Name
ClassifiedsNearMe Promos Plugin Name
ExpressDirections Promos Plugin Name
MapsTrek Offers Plugin Name
MapsVoyage Promotions Plugin Name
FreeWeatherApp Promotions Plugin Name
EarthViewDirections Promotions Plugin Name
MapsFrontier Advertisements Plugin Name
ArcadeCookie Offers Plugin Name
RecipeAlly Promos Plugin Name
MapsTrek Promotions Plugin Name
Offers by MapsFrontier Plugin Name
GamesChill Ads Plugin Name
PackTrackPlus Promotions Plugin Name
MapsVoyage Ads Plugin Name
Advertising by MapsFrontier Plugin Name
PlayZiz Advertisements Plugin Name
Advertising Offers by MapsVoyage Plugin Name
MapsFrontier Advertising Offers Plugin Name
FreeWeatherApp Promos Plugin Name
FreeWeatherApp Advertisement Offers Plugin Name
ExpressDirections Ads Plugin Name
YoYoQuiz Promotions Plugin Name
MapsVoyage Advertising Plugin Name
MapsPilot Ad Offers Plugin Name
GoFreeRadio Promos Plugin Name
Advertising Offers by FreeWeatherApp Plugin Name
Advertisement Offers by QuizKicks Plugin Name
Ads by MapsVoyage Plugin Name
JumboQuiz Advertising Plugin Name
MapsScout Advertising Offers Plugin Name
DeluxeQuiz Advertising Plugin Name
SuperSimpleTools Promos Plugin Name
Advertising by MapsPilot Plugin Name
Advertisements by MapsScout Plugin Name
PackageTrak Promos Plugin Name
Ad offers by Froovr Plugin Name
PackageTrak Promos Plugin Name
GameDaddio Marketing Plugin Name
DearQuiz Advertising Plugin Name
Offers by MapsScout Plugin Name
YoYoQuiz Advertisements Plugin Name
Advertisment Offers by GameDaddio Plugin Name
QuizFlavor Advertising Plugin Name
Advertisements by QuizDiamond Plugin Name
QuizPremium Advertisements Plugin Name
CouponRockstar Offers Plugin Name
MapsFrontier Promos Plugin Name
Advertising Offers by MapsPilot Plugin Name
PlayThunder Offers Plugin Name
LoveTestPro Ad Offers Plugin Name
oanbpfkcehelcjjipodkaafialmfejmi Plugin ID
lhfibgclamcffnddoicjmoopmgomknmb Plugin ID
ilcbbngkolbclhlildojhgjdbkkehfia Plugin ID
pnhjnmacgahapmnnifmneapinilajfol Plugin ID
ocifcogajbgikalbpphmoedjlcfjkhgh Plugin ID
peglehonblabfemopkgmfcpofbchegcl Plugin ID
aaeohfpkhojgdhocdfpkdaffbehjbmmd Plugin ID
lidnmohoigekohfmdpopgcpigjkpemll Plugin ID
jmbmildjdmppofnohldicmnkojfhggmb Plugin ID
jdoaaldnifinadckcbfkbiekgaebkeif Plugin ID
ogjfhmgoalinegalajpmjoliipdibhdm Plugin ID
lebmkjafnodbnhbahbgdollaaabcmpbh Plugin ID
gjammdgdlgmoidmdfoefkeklnhmllpjp Plugin ID
kdkpllchojjkbgephbbeacaahecgfpga Plugin ID
jaehldonmiabhfohkenmlimnceapgpnp Plugin ID
pmhlkgkblgeeigiegkmacefjoflennbn Plugin ID
ofdfbeanbffehepagohhengmjnhlkich Plugin ID
mjchijabihjkhmmaaihpgmhkklgakinl Plugin ID
poppendnaoonepbkmjejdfebihohaalo Plugin ID
eogoljjmndnjfikmcbmopmlhjnhbmdda Plugin ID
gdnkjjhpffldmfljpbfemliidkeeecdj Plugin ID
gelcjfdfebnabkielednfoogpbhdeoai Plugin ID
ofpihhkeakgnnbkmcoifjkkhnllddbld Plugin ID
pjjghngpidphgicpgdebpmdgdicepege Plugin ID
nchdkdaknojhpimbfbejfcdnmjfbllhj Plugin ID
blcfpeooekoekehdpbikibeblpjlehlh Plugin ID
looclnmoilplejheganiloofamfilbcd Plugin ID
oehimkphpeeeneindfeekidpmkpffkgc Plugin ID
eebbihndkbkejmlgfoofigacgicamfha Plugin ID
faopefnnleiebimhkldlplkgkjpbmcea Plugin ID
obcfkcpejehknjdollnafpebkcpkklbl Plugin ID
jepocknhdcgdmbiodbpopcbjnlgecdhf Plugin ID
dehhfjanlmglmabomenmpjnnopigplae Plugin ID
ekijhekekfckmkmbemiijdkihdibnbgh Plugin ID
pjpjefgijnjlhgegceegmpecklonpdjp Plugin ID
nlhocomjnfjedielocojomgfldbjmdjj Plugin ID
opooaebceonakifaacigffdhogdgfadg Plugin ID
ojofdaokgfdlbeomlelkiiipkocneien Plugin ID
gpaaalbnkccgmmbkendiciheljgpdhob Plugin ID
almfnpjmjpnknlgpipillhfmchjikkno Plugin ID
eeacchjlmkcleifpppcjbmahcnlihamj Plugin ID
lojgkcienjoiogbfkbjiidpfnabhkckf Plugin ID
gkemhapalomnipjhminflfhjcjehjhmp Plugin ID
icolkoeolaodpjogekifcidcdbgbdobc Plugin ID
abjbfhcehjndcpbiiagdnlfolkbfblpb Plugin ID
bbjilncoookdcjjnkcdaofiollndepla Plugin ID
igpcgjcdhmdjhdlgoncfnpkdipanlida Plugin ID
nfhpojfdhcdmimokleagkdcbkmcgfjkh Plugin ID
jfnlkmaledafkdhdokgnhlcmeamakham Plugin ID
dibjpjiifnahccnokciamjlfgdlgimmn Plugin ID
fjclfmhapndgeabdcikbhemimpijpnah Plugin ID
jpnamljnefhpbpcofcbonjjjkmfjbhdp Plugin ID
iggmbfojpkfikoahlfghaalpbpkhfohc Plugin ID
fkllfgoempnigpogkgkgmghkchmjcjni Plugin ID
dealfjgnmkibkcldkcpbikenmajlglmc Plugin ID
abghmipjfclfpgmmelbgolfgmhnigbma Plugin ID
dcbfmglfdlgpnolgdjoioeocllioebpe Plugin ID
obmbmalbahpfbckpcfbipooimkldgphm Plugin ID
gbkmkgfjngebdcpklbkeccelcjaobblk Plugin ID
ehibgcefkpbfkklbpahilhicidnhiboc Plugin ID
gmljddfeipofcffbhhcpohkegndieeab Plugin ID
dajgdhiemoaecngkpliephmheifopmjb Plugin ID
fdbmoflclpmkmeobidcgmfamkicinnlg Plugin ID
obbfndpanmiplgfcbeonoocobbnjdmdc Plugin ID
lgljionbhcfbnpjgfnhhoadpdngkmfnh Plugin ID
ddenjpheppdmfimooolgihimdgpilhfo Plugin ID
bblkckhknhmalchbceidkmjalmcmnkfa Plugin ID
fhkmacopackahlbnpcfijgphgoimpggb Plugin ID
eohnfgagodblipmmalphhfepaonpnjgk Plugin ID
emkkigmmpfbjmikfadmfeebomholoikg Plugin ID
fekjbjbbdopogpamkmdjpjicapclgamj Plugin ID
ff6f8c062bb9b4b66de6929ff2921f5fd9eff4b013b32842e9e7e51f609c1f0f SHA256 Hash
0c1a8ca8ad72db5c0c3babc8d2488cc4ac7815d8158d170c5fd4c1056cd7dd87 SHA256 Hash
68707cfc2c7bfe721e22f681c86480c012ce7b28f442c2e0090fde95663b6f13 SHA256 Hash
Maps Plugin Name Pattern
Promos Plugin Name Pattern
Pack Plugin Name Pattern
Plus Plugin Name Pattern
Ad Plugin Name Pattern
Advertising Plugin Name Pattern
Offers Plugin Name Pattern
Quiz Plugin Name Pattern
Marketing Plugin Name Pattern
Promotions Plugin Name Pattern
Advertisements Plugin Name Pattern
Scz?p= Redirector URI Pattern
Fzs?p= Redirector URI Pattern