gasilmilitary.blogg.se

#ADCLEAR VS ADGUARD FULL#
#ADCLEAR VS ADGUARD CODE#

There are only 6 extensions in this group, with just over 1.5 million users total, but I'm almost 100% sure that all of them are real active users.

#ADCLEAR VS ADGUARD FULL#

The full list of extensions from the first group can be found here.

Finally, these ads are inserted into the page.

This technique is called Steganography and it's often resorted to by malware developers.

This loaded image has ads 'coded in', and it tries to insert these ads.

Notice that this domain has nothing to do with Google, this name is only to further confuse the potential observer.

If it's a Bing or Google search results page, it loads an image from domain.

I troubled myself with preparing a decrypted version.

#ADCLEAR VS ADGUARD CODE#

The part of the code that was injected into the pseudo-analytics script does a very simple thing: it adds an obfuscated script into every freshly opened tab. But don't you decide that these are measures to hide a spooky script, I've got more for you. The thing is, the malefactor's server tracks your browser's cookies and only inserts malicious code for users it can recognize. Keep in mind, it will only transform for you personally - any other person will see the same old harmless script. You don't want to see your browser extensions do that The snag is, just you wait a couple days and this script will 'evolve' a bit:

Every such extension loads a seemingly harmless script with 'analytics' from. They are perfect specimens to illustrate the 'botnet' thesis as well - they don't become malicious right away but only after receiving a signal from a remote server. Also, I am sure there are actually more extensions like this, and CWS team will be able to find them all. It consists of all kinds of extensions, but the biggest part are all kinds of "wallpaper" extensions. Note that fake ad blockers is just a small part of this group. This group is especially curious because of the measures they take to conceal their actions. It includes 295 extensions with total number of 80 million users if we're to believe Chrome Web Store data. This is the most large-scale group of malicious extensions from my experience. Adblocker for YouTube - Youtube Adblocker, 2,000,000+ usersĪs you can see, authors aren't spending sleepless nights trying to come up with a witty name.Ad-block for YouTube - Youtube Ad-blocker Pro, 2,000,000+ users.Here's a couple of popular examples from this group (UPD: all links to the Chrome Store, now non-working, are in the gist below): Let's look deeper into each of aforementioned cases. This code may be changed any time, no reviews or updates are required. The trick is they are using third-party code loaded from a remote server and controlled by their owners. Numerous, I couldn't even count them all so I selected 5 most popular ones with 10 million users combined (again, bots have been employed most likely).Īnd you know what else is important and relevant for most of these extensions? At any point, WITHOUT ANY UPDATES they can change their behavior and start doing whatever. They can start doing some shady stuff at any second. Spam extensions that are like time bombs.

They even reuse the same code! Six of these guys this time, with 1,650,000 total users (and here I believe it's a real number). These are my old pals, I exposed an entire brood of them last year.

Fake ad blockers (and other extensions) that are involved in so-called 'cookie stuffing' and 'ad fraud'.

These extensions use a very inventive way to insert ads into Google's search results, I'll get to it soon.

Fake ad blockers that served as a lead to discover an entire cluster of 295 extensions with over 80 million users combined (although I suspect that this number is in part caused by bots).

Let's try to understand what's wrong this time.Īnd this time, there are three distinguishable groups of browser extensions. Maybe I just need to wait more, like a month? But I'm afraid during that month a couple hundred thousands more users will get hurt. These extensions keep occupying top positions in the Store and doing their dark deeds. Of course, somewhere along the way I click the 'Report abuse' button and let Google know about my findings. Some fake extensions in Chrome Web Store.

Finally, spend 2 minutes to check if they do anything suspicious.

You'll never have to scroll far or spend a lot of time to find those, you can always trust Chrome Web Store to bump such extensions to the very top of the list.

Click on every extension that looks like a scam (basically every other one, there's no shortage).Search the Store with terms 'adblock', 'adguard', 'ublock', 'ad blocker'.How would you do it? Here's a tested and trusted method:

Imagine you need to find a malicious browser extension that disguises itself as a legit one, like an ad blocker. 80M People Scammed by Chrome Fake Ad Blockers: the Same Old Song