” Tech Support scam ” uses rogue Google Chrome extension

Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.

In this post we look at a forced installation of such an extension that eventually leads to more adverts being force fed into Chrome. And once you spin the malvertising roulette, anything can happen…

Malvertising campaign

Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.

This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.

Enticing might in fact be a euphemism, since in this case the user is giving no choice other than “Add Extension to Leave“, while their browser is stuck in a never ending loop of fullscreen modes.

Hidden but omnipresent

Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo (note the blank space on the top right next to the Chrome menu from the animation below) and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.

Extension woes

Google Chrome extensions are very powerful programs which are extremely useful in extending the browser’s capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick people into installing their malicious extension.

If you ever visit family or friends who run Chrome or own a Chromebook, have a check at the installed extensions on their machines, and you’ll be surprised by how many shady or flat out fraudulent ones are in there. In addition to redirecting to bogus sites and junk offers, there are some serious privacy and security implications when an extension can read what you type and send this information to criminals.

Google has pulled this bogus extension from its store. If you already have it installed and can’t get rid of it (it won’t let you do it the regular way), please contact us. We detect and remove this one as Rogue.ForcedExtension.

source : MalwareBytes