Fake Malicious Extensions on Chrome Web Store!

Discussion in 'Browsers and Extensions' started by Prorootect, Nov 4, 2017.

  1. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #1 Prorootect, Nov 4, 2017
    Last edited: Nov 4, 2017
    Fake Malicious Extensions on Chrome Web Store! Examples found! There were many of them, which are not cleaned by Store tenants for a long time!
    Let's put our findings here and share our bad experiences.


    Today I see "McAfee Endpoint Security Web Control" (I'm not sure ..) - "offered by McAfee Inc." (I'm not sure ..) - which has enormous "2,307,970 users" number! Updated: June 1, 2016 - so Chrome developers they had a long time to take it off from Store. Surely malicious, always read user comments before downloading:

    'Blocks known good sites needed for work and kills browser performance, whats not to like?' :notworthy:

    'All this did was add malware on my computer and made it run extremely slow.':notworthy:

    'I wanted to uninstall this because it clogs up my search pages advertising itself. However, after adding it to Chrome Portable, this will not disable or uninstall! I even uninstalled Chrome and reinstalled it and this extension was still there. It also prevented me from re-installing the Lastpass extension. This made Chrome useless to me. So, I had to switched to the Opera browser. This acts just like a piece of malware.':notworthy:

    'Causes chrome to hang for several minutes several times per day. Basically this is malware.':notworthy:

    Etc etc etc comments ..


    Let's put our findings here and share our bad experiences, thank you!
     
  2. TechMech

    TechMech New Member

    Nov 4, 2017
    2
    6
    -private-
    Windows 7
    McAfee
    I am currently unable to identify a solution , and will need extra information; during such attacks I would manually trace the main cause , then I would delete the main source leading to it, extensions like these will mostly likely get deleted after you remove the backup and source, if your problem continues on re-occurring I recommend asking a person you may know with strong knowledge about such malware, If the problem proceeds I recommend you fix it at a computer workshop or tech support, or just back up softwares you'd like to keep on a flash drive then re-install your software
     
  3. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    Thank you, TechMech !
    - but I don't downloaded this, of course ..

    You wrote that you 'need extra information' - but extra information is in the user comments surely .. if you have many negative comments, it's very bad extension, I think ... I'm not mistaken?
     
    venustus, bribon77 and frogboy like this.
  4. carsten ibsen

    carsten ibsen Level 20

    Sep 18, 2016
    980
    5,205
    retired
    denmark
    Windows 10
    Microsoft
    This is scary as H...:mad:
     
    frogboy, Prorootect and bribon77 like this.
  5. TairikuOkami

    TairikuOkami Level 8
    Content Creator

    May 13, 2017
    376
    1,592
    Postal Worker
    Slovakia
    Windows 10
    #5 TairikuOkami, Nov 4, 2017
    Last edited: Nov 4, 2017
    McAfee Corporate KB - Endpoint Security Web Control browser extensions must be enabled by the end user KB87568
    The article mentions "McAfee Endpoint Security Web Control 10.x" and this is indeed version 10.2, so I guess no fake?!

    Those extensions/app work only when you have McAfee installed. I have just tried all 3 of them.
    Considering, it is supposed to block webpages and advertise itself, it does, what it does.

    McAfee SECURE Safe Browsing
     

    Attached Files:

  6. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #6 Prorootect, Nov 4, 2017
    Last edited by a moderator: Nov 11, 2017
    OK not fake (- and this is worse!) - but: read comments on Chrome Web Store ...:mad:

    "Those extensions/app work only when you have McAfee installed."
    - but this is NOT mentionned on the Chrome Web Store, for "McAfee Endpoint Security Web Control" ...

    Exactly, you're found this very meaning sentence in your link:

    "McAfee Security Scan Plus is mostly a tool intended to sell McAfee programs."


    So it is proof that they think to earn the money (mostly ..), not the trust of all of us. Thank you very much, TairikuOkami !



    - hmm, this shows clearly, that I am in no way connected with McAfee company...?

    Well, found another McAfee 'gem' on the Web Store: McAfee SiteAdvisor Enterprise ..Version: 3.5.0.1275, Updated: October 4, 2017 , 1,352,493 users

    Only two comments (latest alerts ..) of users I copy here:

    'Modified Oct 20, 2017
    I have a couple websites that I use that are perfectly safe, I've used them before with no problems, and it keeps saying that it's safe, but I might want to be careful on said site. Oh, and i can't get rid of it either, it's a HUGE pain, NEVER GET THIS ADDON!!!! Also, on some pages the popup appears again...and again...and again.'

    'Modified Oct 24, 2017
    IT SUCKS!! it came installed by the school that gave me this laptop and i REALLY DONT KNOW WHY THEY WOULD INSTALL IT! it came installed by moderator which means i cant get rid of it UNLESS i hard restart but i dont want to. and it does a pop-up every time you use or click on any thing that are "unsafe"(youtube, netflix, crunchyroll, ect) and can be easily avoided by using ingonito or a pop-up blocker!! I WOULD GIVE THIS 00000000000000 STARS IF I COULD!!1!!1!!!!'


    Give shame to McAfee on the Chrome Web Store.
     
    plat1098, venustus and TairikuOkami like this.
  7. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    612
    2,867
    Holland
    Windows 7
    Default-Deny
    Sunshine-boy, frogboy and Prorootect like this.
  8. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #8 Prorootect, Nov 4, 2017
    Last edited by a moderator: Nov 11, 2017
    Read the first page of my topic: "Chrome Adware Removal" extension block ransomware : Add-on - "Chrome Adware Removal" extension block ransomware

    - cause interesting discussion about extensions security, from Windows_Security post #11 to the bottom of the page - you have too this link:
    on kjaer.io article (nice photo, scroll down): Malware in the browser: how you might get hacked by a Chrome extension

    Thank you, Windows_Security!


    GOOD, very good right extension skyZIP™ (skyZIP™ Proxy) acceleration and compression Proxy: Home | nynex - professional satellite services right site!
    Chrome Web Store URL: skyZIP™ Proxy
    - so it's offered by nynex - from Germany - Version: 0.8.1 - Updated: May 11, 2015 - Size: 71.25KiB

    BUT - on Chrome Web Store, you have too another extension with this same name 'skyZIP Proxy' - maybe fake, malware maybe - offered by kibosh...xyz, don't touch this one, you never know!
    This same image ...Version: 1.0 - Updated: October 27, 2017 - Size: 74.37KiB - hmmm ... what is this similar extension?
    User Reviews
    All languages
    No comments

    WHY chrome developers - why they didn't delete this ...
     
    plat1098, frogboy, venustus and 2 others like this.
  9. browneylad

    browneylad Level 2

    Sep 27, 2017
    53
    219
    service
    India
    Windows 7
    Webroot
    Some extensions when discarded due to being developed into FF 57 compatibility must have got hijacked by others who put malicious codes in them. Its so hard to tell sometimes. Great research Prorootect!
     
    Prorootect, frogboy and venustus like this.
  10. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #10 Prorootect, Nov 6, 2017
    Last edited: Nov 6, 2017
    Windows_Security - I downloaded to test (for some seconds ..) this Symantec extension: 'Security Guard by Symantec' (Updated: October 18, 2017) with ugly blue flat icon, then removed it.
    But with the 'remove event' here, a New Tab page is created, with website:

    hxxp://mitarchive.info/temp/survey.html?inst=NaN&id=bce

    I look on my 'Sur.ly Surfguard' icon - there is a triangle with an exclamation mark on the icon and the icon pop-up text warns: "Unsafe: this website contains some kind of security threat or malware" .. McAfee (from 'Full report' button on the icon) spoke of 'mitarchive.info' page threat: 'Web Category: Search Engines' ...
    I took a look at the page, it was empty because of my anti-script engines, hopefully! I just closed it, that's all.
    So why Symantec are assisted by mitarchive.info?

    Google about mitarchive.info: 'A description for this result is not available because of this site's robots.txt' - so not good I think.

    Maybe threat, maybe no threat - but I prefer to have confidence in my 'Sur.ly Surfguard'.:)

    __________________________

    'Avira Antivirus - Protector of Online Surfing' ugly blue flat icon .. then pop-up from icon is with this same interface that from Symantec extension! - so this same inscription 'Protection is On' - and no Options, like in the other extension..
    So I remove it - and in the New Tab page I see

    hxxp://mitarchive.info/temp/survey.html?inst=NaN&id=fib


    .. aaaa ..

    - Cool, this cooperation between producers of delusions for poor web users.

    ... and why Symantec extension has Size: 649KiB, and Avira extension has Size: 1.63MiB ..
     
    frogboy, browneylad, XhenEd and 2 others like this.
  11. browneylad

    browneylad Level 2

    Sep 27, 2017
    53
    219
    service
    India
    Windows 7
    Webroot
    Had a popup blocker installed few days ago for testing. It was kept deactivated but twice came active by itself when chrome starts & today found in the extension list that it may have been compromised written under it. During removal it opens some google feedback form, possibly phishing page.
     
  12. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #12 Prorootect, Nov 7, 2017
    Last edited by a moderator: Nov 11, 2017
    Ha - downloaded yesterday in Firefox: 'Popup Blocker for Firefox: Poper Blocker', and Pop-up Controller, seen nothing bad ..
    - on chromium forks I have my ZenMate Web Firewall, anti-script extensions and Content-Aware Ad Blocker .. no other ad blockers, and never seen ads ..:)

    If you search, on the Chrome Web Store search, for these three words: 'web shield protection' - you receive a plethora of fake or malicious extension results, many with this same start sentence (the name of extension change only):
    "... helps provide quick, easy and convenient search results for every day needs."
    Never user comments, none.

    Why does Google allow this to happen - for pennies probably...
     
    harlan4096 and browneylad like this.
  13. Tsiehshi

    Tsiehshi Level 1

    Nov 11, 2017
    43
    118
    Somewhere
    #13 Tsiehshi, Nov 11, 2017
    Last edited: Nov 11, 2017
    Someone at github has made a website where you can examine any Chrome extension unless its owner has asked for it to be taken off the list.

    PS. From my own experience, I can say that they apparently don't care anymore about their own rules once an extension or update has been accepted. I once wrote an extension replacing broken images with their Wayback Machine versions. However, back then it used cookies to track whether to enable or disable the content script, so since the recent privacy policy change, it must have been violating it. After all, I foolishly did the same later trying to update it, causing it to be rejected (with me ending up removing the feature). Yet they hadn't done anything about the extension's last version that seemingly had the same problems for months.
     
    shmu26, harlan4096, XhenEd and 2 others like this.
  14. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    Interesting article, from thehackernews.com: 8 More Chrome Extensions Hijacked to Target 4.8 Million Users : 8 More Chrome Extensions Hijacked to Target 4.8 Million Users

    'Google's Chrome web browser Extensions are under attack with a series of developers being hacked...'

    Still current, that kind of news.
     
  15. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    This is getting to be a problem. Even if you choose your extensions carefully, they get hijacked by 3rd party actors.
    Sounds to me like a big security hole.
     
  16. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #16 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    NEW (4) fresh fake extensions/apps on Chrome Web Store Today
    offered by lomernixmzloa932:

    youtube mp3 downloader for chrome
    ESET Nod32 Antivirus
    ComboFix (ancient this one...)
    GoodSync

    - developer of these fakes is well alive and is working in full daytime !...

    - and google's response - where is't?

    We have another thread about, look on Malware Analysis section:
    Fake ESET NOD32 extension analysis (Google Chrome) : Malware Analysis - Fake ESET NOD32 extension analysis (Google Chrome)
     
    Transhumana, shmu26 and harlan4096 like this.
  17. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    There are too many fake extensions, and too many legit extensions that were hijacked.

    Until Google sorts this out, I think it is wise to disable as many extensions as you can, and just use a few highly reliable ones, such as HTTPS everywhere and UblockOrigin, etc.
     
  18. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #18 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    Some Chrome extensions/apps - Intruding, Deceptive, Problematic, users are disappointed... hijacking to Yahoo Search... with bad English in description...
    - 'masquerading as trustworthy'...

    If you search, on the Chrome Web Store search, for these three words: 'web shield protection':

    Here you have Chrome Web Store extensions/apps of that kind, this same GUI, offered by different guy!


    PC Protect Web Shield = Scanguard Web Shield = Total AV Web Shield

    - with similar Home pages who are asking for login to your account!

    Another set of that kind of 'this same GUI' - and 'this same icon' extensions/apps, changing your search settings to shielddefense.net or mystartshield.com:

    MyStart Shield = Shield Defense = Secure MyWeb

    Scam Block Plus extension is very suspicious.

    Identity Guard Safe Browsing extension 'offers in-app purchases' and has very suspicious Home page addon.wsidg.com, beware! - what is this writing

    Developers of fake extensions are well alive!

    - you like this?
     
  19. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    You should let Google know what a lousy job they are doing with vetting extensions.

    Some of this stuff is absolutely inexcusable, such as false use of brand names like Kaspersky. I mean, if a extension is submitted by Joe Schmo, and it claims it is Kaspersky, how hard is that to detect??
     
  20. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,554
    3,740
    0wN3D by my cat!
    #20 Prorootect, Nov 22, 2017
    Last edited: Nov 22, 2017
    I didn't know how to do it, maybe there on MT - or any other place! - would be someone who would be more informed than me, to notify Google, I hope so, I'm waiting!
     
Loading...