McAfee researchers discovered five malicious Google Chrome extensions with a total install base of over 1,400,000. The malicious Google Chrome extensions were masquerading as Netflix viewers, website coupons, and apps for taking screenshots of a website.
The extensions, a designed to track the user’s browsing activity, they are also able can insert code into eCommerce websites being visited. Basically, the extension modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.
The manifest.json sets an HTML background page, which loads the javascript b0.js that sends every URL visited by the victims to the C2 and injects code into the eCommerce sites.
Some of the extensions implement a time check before they would perform any malicious activity to avoid detection. The researchers noticed that the malicious extensions start operating after 15 days from their installation.
