Popular browser extensions record users‘ browser activity and inject code into e-commerce sites.
The five extensions all exhibit the same malicious behavior. Once installed, these extensions begin logging every site visited by the user and sending that information to servers controlled by a threat actor. The command-and-control (C2) servers check each website against a list of online marketplaces for which the threat actor has registered an affiliate ID. If the user visits a site on this list, the browser extensions inject code into the website, modifying the browser cookies to include the threat actor’s affiliate code for that site. In the event the user makes a purchase on this e-commerce site, the threat actor receives an affiliate payment for the purchase.
We frequently write about Android malware smuggled onto the Google Play Store in the form of what appear to be legitimate apps. However, the Play Store isn’t the only Google-run app store with a malware problem.
