Chrome Users Targeted by Websites Forcing Them to Install Extension to Leave

Feb 23, 2017 13:13 GMT  ·  By Gabriela Vatu  ·  Share:

A new malvertising campaign targeting Chrome users has users redirected to a website they couldn’t leave without installing a malicious Chrome extension.

While this isn’t exactly the common practice among malvertising, which usually redirect people to places where stronger malware can be delivered, including ransowmare, adware, banking trojans and so on, there seems to be a trend going on lately.

Recent malvertising campaigns targeting Chrome users redirect them to tech support or other scam sites, rather than malware-ridden sites.

“This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension. Enticing might in fact be a euphemism, since in this case the user is giving no choice other than “Add Extension to Leave“, while their browser is stuck in a never ending loop of fullscreen modes,” Segura writes.
“What happens?”

So what happens once this extension is installed? It makes sure it stay in hiding by using a 1×1 pixel image as its logo, which pretty much becomes a blank space next to the Chrome menu, where extensions are present. It also hooks chrome://extensions and chrome://settings in such a way that any attempts to access those is automatically redirected to chrome://apps so that users can’t get the extension uninstalled.

The bad stuff is in a couple of JavaScript files. One has a connection to a command & control server where it can receive instructions on what to do next.

“The perpetrators behind this extension are checking for certain keywords within the current URL and blocking/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to one of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams,” the blog reads.

While Chrome extensions are great to expand the functionality of the browser, there are also many bogus tools out there and some that have strong privacy and security implications.

The extension discovered by the security researchers has already been flagged and pulled from the Google store. If your computer is already affected by it, installing an antivirus (BitDefender of course) seems to be the only way to get rid of it since you can’t actually uninstall it.


  1. Chrome Users Targeted by Websites Forcing Them to Install Extension to Leave | MspPortalPartner News - February 23, 2017

    […] Source: Chrome Users Targeted by Websites Forcing Them to Install Extension to Leave […]

%d bloggers like this: