Two widely used Adblocker Google Chrome extensions, posing as the original — AdBlock and uBlock Origin — extensions on Chrome Web Store, have been caught stuffing cookies in the web browser of millions of users to generate affiliate income from referral schemes fraudulently.
There’s no doubt web extensions add a lot of useful features to web browsers, making your online experience great and aiding productivity, but at the same time, they also pose huge threats to both your privacy and security.
Being the most over-sighted weakest link in the browser security model, extensions sit between the browser application and the Internet — from where they look for the websites you visit and subsequently can intercept, modify, and block any requests, based on the functionalities they have been designed for.
Apart from the extensions which are purposely created with malicious intent, in recent years we have also seen some of the most popular legitimate Chrome and Firefox extensions going rogue after gaining a massive user base or getting hacked.
Discovered by researchers at Adguard, the two newly caught Chrome extensions mentioned below were found using the names of two real and very popular ad-blocking extensions in an attempt to trick most users into downloading them.
- AdBlock by AdBlock, Inc — over 800,000 users
- uBlock by Charlie Lee — over 850,000 users
Though these extensions were fully working as any other adblocker does by removing ads from web pages a user visits, the researchers caught them performing “Cookie Stuffing” as an ad fraud scheme to generate revenue for their developers.
What is Cookie Stuffing Ad Fraud Scheme?
Cookie Stuffing, also known as Cookie Dropping, is one of the most popular types of fraud schemes in which a website or a browser extension drops handfuls affiliate cookies into users’ web browser without their permission or knowledge.
These affiliate tracking cookies then keep track of users’ browsing activities and, if they make online purchases, the cookie stuffers claim commissions for sales that actually they had no part in making, potentially stealing the credit for someone else’s attribution fraudulently.
The two ad blocking extensions discovered by researchers were found sending out a request to a URL for each new domain users visited after being installed for around 55 hours in an attempt to receive affiliate links from the sites users visited.
The two extensions, with 1.6 million active users, were stuffing cookies from 300 websites from Alexa Top 10000 most popular websites, including of teamviewer, microsoft, linkedin, aliexpress, and booking.com, potentially making millions of dollars a month for their developers, according to the researchers.
“Actually, there’s a bright side to it. Now that this fraud scheme is uncovered, affiliate programs’ owners can follow the money trail and find out who is behind this scheme,” the researchers said.
“Another interesting thing about this extension is that it contains some self-protection mechanisms. For instance, it detects if the developer console is open, it ceases all suspicious activity at once.”
Google Removed Both Ad Blocker Extensions from Chrome Web Store
Despite receiving multiple reports about how these extensions are deceiving users in the names of other more popular extensions, Google did not remove them from the Chrome Web Store as Google policy does allow multiple extensions to have the same name.
However, after AdGuard researchers reported their findings of the malicious behavior of the two extensions, the tech giant removed both malicious extensions from Google Chrome Store.
Since browser extension takes permission to access all the web pages you visit, it can do practically anything, including stealing your online accounts passwords. So, you are always advised to install as few extensions as possible and only from companies you trust.
Before installing any extension or an app on your mobile phone, always ask yourself—Do I Really Need It?