Affiliate scam: Chrome browser add-ons with 1.4 million installs

There are five malicious browser extensions for Google Chrome out of a total of 1.4 million installations. McAfee’s IT security experts have discovered that the add-ons divert and manipulate data in the browser and foist cookies on users, which bring the programmers affiliate income.

These are browser extensions that sell coupon codes or offer to watch Netflix with others, as well as those that take screenshots of web pages. In the add-on descriptions in the web store, the add-on programmers sometimes copy texts from popular extensions with the same functions.

Unwanted additional functions

In addition to the function actually offered, the harmful browser extensions do even more: they track the surfing behavior of users. Every website visited ends up on the servers of the extension programmers. McAfee’s IT security researchers explain in a blog post that they want to use this to integrate their own code into eCommerce websites they visit.

In doing so, they modify the cookies on the website so that the add-on developers receive affiliate payments for each item purchased. Users are unaware of this feature and the risk to their privacy of having all visited pages sent to the servers of the masterminds behind the extensions.

Specifically, the add-ons send the URL of the website visited to a server owned by the add-on developers. This looks up whether it has an affiliate ID for the website and, if so, sends back an address. The add-on builds this address into the website as an iframe and sets the cookie with the scammers’ affiliate ID. They then receive an unjustified commission when they make a purchase on the website.

Some add-on programmers install delays in order to avoid detection of malicious functions through automatism. The add-ons then only set the fake cookies 15 days after installation; before that they remain unsuspicious. Chrome users should quickly uninstall the five add-ons that McAfee found.