Google experts have excluded two dangerous ad blockers from the Chrome Web Store — AdBlock (about 800,000 users) and uBlock (850,000 users). Both extensions were fully functional, but they obviously disguised themselves as other popular blockers and engaged in cookie stuffing fraud.
Google experts removed problematic extensions after fraudulent blocker behavior discovered AdGuard specialists. Researchers noticed that approximately 55 hours after installing these extensions, they begin to exchange suspicious requests with their servers. So, in response to expansion requests, the server sends a list of commands, after which the “blocker” behavior changes: in addition to blocking ads, it starts to do something else. This is cookie stuffing, a popular scam technique that is often used in affiliate marketing to capture traffic from legitimate sources.
Researchers explain that when entering every new domain, a request is sent to urldata.net. For example, after visiting teamviewer.com, the sent request will look like this:
http: // urldata (.) net / api? key = 4e4a7faf91b2bcda88a60e269e4d6208bfe8d3d6 & out = https% 3A% 2F% 2Fteamviewer.com & format = txt
The response to such a request will contain the following URL:
(.): Http // urldata net / newapi / click / PvdHh16uGq6mLqmbUoT3AaUImj7ynsh0cVlCywkljEF19oBV0JH4jNYpn – xwIyEV36OMPPH1IrESEyclc7yxEbB3mYrfPMxnGqoV4SOmQ4MI9NYNHAQrPHwvJNE0W488ESUN1y7ONahVxwBZKnr4PZlZKI5gNi65DoIfYNwXAPoyFwh8Mgz1bX63V4PnjspvZa-DqjF5GTNxoIJqpHLC1_SwlFRYeoIvVGutkgfCSI4hMHa3z52VbL7VxbaQAhhqLC-uJUJO_s234VL3JDM01O-JE9PS6fXOH6z5XUojvotSQ5mZe7NFEsuMaeSK9rasy8MvaICWZpGDmgxIodzvMpJUv41ppkuqMBDDYpHptCEBb4Za_HffgaiKn-aY_COfan5P650B6ZTQsVqNKidMRRaHY4FxvM7VA79vX5_Oe0J0c9Wczw8VM9GrvzlGLdt4TjyBcF2JEtpcayh99JdL1wxrL_EoEHMml4LDy1JwT8LPxPG2vrlK5QSuoGrx-7tJLHD6Gq3SUeQj1XXEcENy77hkzU79TO9_hEs29Kq6ASdk6NKIZT8gOuJsNOAkU4i0Y9JvmEpdENyBL2ugmFNyitW2CfGzHrLsNex
The extension will immediately open this link in the background. This request will be followed by a chain of redirects:
The last query in the chain will be this one:
https: //www.teamviewer (.) com / en / content / 2019-cj-emea /? coupon = aff-19-en-10-1 & utm_source = affiliate & utm_medium = cj & utm_campaign = dedc1dc5d58611e982c203670a180513 & utm_content = 133 & affm_content = 293 & utm_content = 2933 & utm_content = 293 & utm_content = 2933 & utm_content = 2933 & utm_content = 293 & utm_content = 291 = dedc1dc5d58611e982c203670a180513
Apparently, the address belongs to someone's affiliate program with Teamviewer. In response, the browser will receive an “affiliate” cookie. As a result, if the user makes a purchase on teamviewer.com, the extension developer will receive a commission from Teamviewer. A lot of affiliate links are used for this scheme, here are some fraud victims whose names are well known: microsoft.com, linkedin.com, aliexpress.com, booking.com. Experts note that this is far from all, and the full list is much longer.
Researchers write that the scale of this fraudulent campaign is amazing. In total, the extensions had more than 1.6 million active users, replaced by cookies from at least 300 sites from the list of Top 10000 according to Alexa. The exact damage from this campaign is difficult to assess, but AdGuard is confident that it is a few million US dollars per month.