Chrome Extensions Caught Hijacking Affiliate Links and ChatGPT Logins
▼ Summary
– Malicious Chrome extensions, including “Amazon Ads Blocker,” hijack affiliate links on e-commerce sites by secretly replacing or adding the attacker’s own affiliate codes to steal commissions.
– These extensions are part of a larger cluster of 29 add-ons targeting platforms like Amazon and AliExpress, which also scrape product data and use deceptive countdown timers.
– The extensions violate Chrome Web Store policies by misleading users about their function, combining unrelated features, and automatically modifying links without user consent.
– Separate malicious extensions, including a network targeting ChatGPT, are designed to steal authentication tokens and user data, exploiting the trust in popular AI tools.
– A malware toolkit called “Stanley” enables criminals to create deceptive extensions that overlay phishing pages on legitimate sites, highlighting browsers as a primary attack vector.
A significant security threat has emerged from the Google Chrome Web Store, where researchers have identified clusters of malicious extensions designed to hijack affiliate commissions and steal sensitive user data, including ChatGPT authentication tokens. These add-ons, often disguised as helpful tools, exploit browser permissions to carry out hidden operations, redirecting revenue from legitimate content creators and compromising personal accounts.
One prominent example is an extension called Amazon Ads Blocker. While it does block sponsored content as promised, its core malicious function is to automatically scan for and replace any existing affiliate tags in Amazon product links with the developer’s own code. This means that when a user with the extension installed clicks a link shared by a creator, the commission is stolen and redirected to the attacker. The extension’s publisher, “10Xprofit,” is linked to a broader network of 29 similar add-ons targeting major e-commerce platforms like AliExpress, Best Buy, and Walmart.
These extensions violate multiple Chrome Web Store policies. They fail to accurately disclose their true functionality, combine unrelated features like ad blocking and affiliate injection, which should be separate, and operate automatically without any user consent. Beyond affiliate fraud, some extensions were found scraping product data and sending it to a remote server. Those targeting AliExpress also deploy deceptive countdown timers on product pages to create a false sense of urgency and drive purchases through the attacker’s affiliate links.
In a separate but equally concerning campaign, security analysts uncovered another set of 16 extensions, primarily on the Chrome Web Store, crafted to steal ChatGPT login tokens. These add-ons, marketed with features like “voice download” or “prompt manager,” inject scripts into the ChatGPT website. Once installed, they can intercept authentication tokens, granting attackers persistent access to a user’s account, full conversation history, and any sensitive data or code shared within the platform. This poses a severe risk as AI tools become deeply integrated into professional workflows.
The threat landscape is further complicated by the availability of malware-as-a-service toolkits like “Stanley,” which was recently advertised on cybercrime forums. For a fee, this toolkit allows criminals to generate malicious Chrome extensions designed to serve convincing phishing pages. These pages are displayed within a hidden iframe overlay while the browser’s address bar continues to show the legitimate website’s URL, a technique that can easily trick even cautious users into surrendering login credentials.
These incidents underscore a critical shift in cybersecurity. The browser itself has become a primary attack vector. With the rise of remote work and cloud-based applications, browsers hold immense amounts of sensitive data. Malicious extensions, often appearing legitimate and passing through official store vetting processes, can gain deep access with minimal suspicion. Users and organizations are urged to exercise extreme caution, scrutinizing extension permissions, reviews, and publishers, and removing any tools that are not absolutely essential.
(Source: The Hacker News)
