2,000,000+ users hacked via extensions exploit

[mgwe...@gmail.com]

Dear Google/Fellow developers

We've just detected a CWS publisher with over 500+ extensions and 2,000,000+ users, and several accounts using malicious techniques to: 

- redirect searches originating from google, bing, myway and ask, to Yahoo ( https://search.yahoo.com/yhs/search?hspart=skylikes&hsimp=yhs-newtab&p={keyword} ) without user consent

- replace links with injected affiliate ids (ex. adding aff id to amazon link, booking.com)

- manipulate CWS installs, votes, ratings

- injecting ads

You will find here a database with their accounts, extension ids, injection scripts, extension contents, screenshots proving what they do. This is a huge fraud, breaking CWS TOS, exposing user's privacy and so on.

How they do it:

When you install any of their extensions available on CWS, they ask the users to install additional extension called "Themer",  they use both extensions to redirect searches from google.com, inject affiliate ids, manipulate votes in CWS by casting votes from unsuspecting real users that are logged into Google (using AJAX requests to CWS rating api) - we have the source code of that. The scripts are not executed immediately but at least 24 hours after install (or maybe other trigger) - they command it from server side:

We've found out 2 sites they use to inject the scripts that do all that:

https://qrenchos-mark2.club/pro3.php

https://qrenchos-mark2.club/api/gosbu2/1/

https://qrenchos-mark2.club/api/grp/1/

https://juanot.com/pro3.php

https://juanot.com/api/gosbu2/1/

https://juanot.com/api/grp/1/

All of their extension have the same code, inject script from domains above, they have very similar new tab design, very similar LPs, only different domains and publishers to hide from Google.

Here are some of the proofs.

1. When you install any of their 500+ extensions, they might ask you to install "Themer":

2. Almost the same design/functions/LPs - only different publishers and domains:

3. Manipulating votes. Here is an example an extension having 4000 users with 3500 votes and one that have 2700 votes almost perfect 5.00 star (they also rate competitors with tons of 1-star rating):

4. Injecting obfuscated scripts in their extensions:

 <-- decode with base64

5. Redirecting google.com, bing.com searches etc to https://search.yahoo.com/yhs/search?hspart=skylikes&hsimp=yhs-newtab&p={query}

 

6. Injecting affiliate IDs without user consent

7. Hundreds of manipulated extensions with fake votes - how can one extension have 1450 votes ALL 5 star?

 

I am not posting their source code here. Hopefully, Google will act before someone else decides to use their code.

Anyway, I am attaching a DB with their extensions.

Google, please take a look in this. 2,000,000+ users are hacked and exposed to whatever the hackers decides to do.

Let me know if you need more information, details etc.

[mgwe...@gmail.com]

Here is the full list.

[PhistucK]

Did you report them using the "Report Abuse" link in the web store? I believe Google has a way to delete existing installations of extensions as well.

I am not sure you should have posted this publicly before you give Google some time to take care of the problem after reporting it...

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-extensions@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/adb4e81a-2f04-4677-8d20-af3b6292872c%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[mgwe...@gmail.com]

Yes, I did. Reported to both Google and Yahoo, waited for a week - no email, no reaction so far, my report was ignored. Thus I decided to go public because it is really an urgent issue.

My guess is whoever checked this were mislead because the extensions activate the scripts after 24 hours server side (or similar trigger). 

[ja...@chromium.org]

Hi All,

Just following up to confirm that Google is aware of and working on this issue.

Thanks,

James

[Sudar Tedom]

Just to add one to the mix.

There's another notorious  fake-rating developer out there. http://freeaddon.com/

Other then using fake accounts to bad review competition and good review himself, he actually asks his users to report his competition. Example here:

http://goo.gl/mAV8Y7

Another example where he bad-mouth his competitors and spreading fake information about them(different companies, not the one mentioned in the list above)

http://goo.gl/d1LBst

Besides that it violates the store placement policy, its actual illegal in the US and called tortious interference.

Google like always, do nothing about it....

[Sudar Tedom]

Some examples and prove about what this developer is all about:

d

[Sudar Tedom]

[Nadia FreeAddon]

Hi Sudar,

I'm a developer from FreeAddon team. Thanks for mentioned those articles posted on our website. If you read them and check against the reviews sections of the extensions in screenshots, you will see that we'll telling the truth.

From 2016 to November 2017, we've built 400 newtab extensions, got 5 million active users and 93.5k user ratings. We've received hundred of emails asking to "buy FreeAddon extensions" or "pay us to inject some javascript", but we always say NO. That's why we're loved by users, all of our extension's rate were at 4.7/5 stars.

We've been attacking by the "fake ratings hacker" Mark mentioned above. From November 2017 till now, he Attacker has posted 1.65 million fake 1-star ratings in our extensions. At the same time, they've uploaded 1600+ extensions and posted 3+ millions of fake 5-star ratings in those, in order to manipulate Chrome Web Store search results.

- Your screenshots show that many ratings were posted in our extensions, most of the 1-stars were from the Attacker.

- The Attacker is capable of sending millions of fake ratings on Chrome Web Store, they send both fake 5-stars on theirs and fake 1-stars on FreeAddon's extensions. Therefore both ours and theirs have unusual number of ratings. The Attacker extensions have 4-5 stars, while all of ours are 1-2 stars.

- The negative reviews posted in FreeAddon's extensions are very similar, as they're spun text posted by the Attacker's automatic system.

[Sudar Tedom]

I have no idea about that developer you fight with but you been caught doing tones of fake 5 stars reviews to yourself and 1 star for your competition. Screenshoots from chromebeat for the relevant extensions and dates coming soon. 

In the screens I provided(have tones more), it clearly shows that you do the same thing that you blame that guy.

Regardless, asking users to report extensions explicitly violates chrome TOS, not to mention writing made up facts about your competition. 

From 2016 to November 2017 - You actually copy cated hundreds of extensions from the developers that used to be active back then(tabify, brandthunder, mystart, browserfx) and bad rated them. I'm waiting for them to send me the relevant data to add to this report.

You are definitely not the victim here

[Nadia FreeAddon]

Back in 2016-2017, most of newtab extension in CWS (tabify, brandthunder, mystart, browserfx) were monetizing their extensions via search engine hijack. All of them are similar design, redirect "chrome://newtab" to their website, and redirect search engine from Google to Yahoo. Among those, FreeAddon was the only one that's unique in UI/UX design. Users do not need to download anything in our custom new tab page, everything is included inside extension's source code folder. We have never injected any adware, and always use Google as our search engine. That's the reason why we won other ones.

Now, the Attacker has been uploading 50-100 new extensions a week, boombarding 100k of fake ratings every day. We have only few people in our team and do not have enough resource fighting back, so calling for helps from the users was our last choice. The message on our website that asks users for help is "If you like our extensions & want to support FreeAddon, give us a hand by RATING & GIVING REVIEW in Chrome Web Store". We do not force users to post the 5-star reviews or 1-star reviews, we just ask users to give a fair reviews on their own judgment.

[Sudar Tedom]

The reason is not important. Asking users to make bad reviews to another developer is against the policy.

"we just ask users to give a fair reviews on their own judgment", really? You have a ready to copy paste text for them to report the extensions.... 

You actually admitted doing it. Its now Googles call what to do about it. I don't thinks you need to worry tho, Google are spineless and don't really care about fake reviews or mass-asking users to bad rate developers like you did.

"search engine hijack"? Still keeping to tell lies? opening a new tab with a search box hosted "off extension" is by definition "not hijack". Absolutely no browser settings are changed besides new tab. Single propose extension like it meant to be.

Want to see an example of real  "search engine hijack"? Take a look at https://coolstart.com/

Clearly violating the single propose policy. They take over the new tab AND takeover your omnibox search provider. Google should look at them too:

https://chrome.google.com/webstore/detail/fortnite-hd-wallpapers-ne/onjloafnnfndgpkdojhbhcebkpilfehi

Whatever dude, Google got all the info.

[Nadia FreeAddon]

We've edited the article http://freeaddon.com/spam-bots-accounts-spamming-5-star-reviews-on-extensions-made-by-other-developers/

- We listed proofs that Attacker's posted fake ratings and reviews, and a list of Attacker's extensions in this spreadsheet: https://docs.google.com/spreadsheets/d/1SM0QBYBIV637OeYQs7dWhw3JKI8hqGsXXBfC_aaQHKw/edit#gid=2089727125

- We do not ask users for reporting the suspicious extensions.The main purpose of the article is raising awareness for the average users. We keep a screenshot of the Google policy about fake ratings, and a screenshot where to find "Report Abuse" feature.

http://freeaddon.com/wp-content/uploads/2018/04/CWS-Spam-Rule.jpg

http://freeaddon.com/wp-content/uploads/2018/03/Step1-Report-rsz.jpg

Btw, thanks for correcting me about the "search engine hijack" definition. The fact was: brandthunder, tabify, mystart... set search engine inside their newtab page to be Yahoo not Google. Most of them didn't allow users to change search box in their newtab page to Google, forcing users to use Yahoo. They redirect "chrome://newtab" to a website to inject ads in newtab page. Users surely do not like that, while FreeAddon always use Google as search engine and we have never injected any ads in our newtab page. That's how we won the other newtab. Your accusation of "in 2016-2017 FreeAddon made copy-cat of other newtab extensions and fake ratings" is not true.

[Bree Weber Jo]

[Bree Weber Jo]

[Bree Weber Jo]

[Bree Weber Jo]

[Bree Weber Jo]

On Friday, April 6, 2018 at 9:18:36 AM UTC-5, Sudar Tedom wrote:

[Bree Weber Jo]

On Friday, April 6, 2018 at 9:18:36 AM UTC-5, Sudar Tedom wrote:

[Bree Weber Jo]

[Bree Weber Jo]

[Muhammad Qayyum Abro]

I feel more like some one doesn't like someone success or have personal issues with the them.

[Sudar Tedom]

You bet. 

Why do you think someone took all that time and effort to investigate someone else? Because they are such good citizens? Hell no!

Everybody do fake ratings, someone did it better and in mass production so the people that started to fake rate their competition in the first place, cry about it now because they got the taste of their own medicine....

[Nadia FreeAddon]

Fake ratings and reviews do not make you a good product creator. Users may be tricked to install your extension, but in long term they have their judgement to choose the best one to use.

In 2017 we've been attacked several times by Malware Distributors (see more: http://freeaddon.com/warning-adware-virus-distributors-are-making-fake-extensions-based-on-freeaddon-sportifytab/ ). For that, we've created a system to scan Chrome Web Store finding the malicious extensions. We received emails from fellow developers asking for help to report the problem to Google. FreeAddon is not the only victim, there're 10+ other developers who also been suffering from same kind of attack, spread in all kinds of products (newtab, games, weather, shopping, productivity...). The Attacker must be biggest Malware Distributor on Chrome Web Store, as they're capable of creating thousands of malicious extensions and sending millions of fake ratings & reviews in a short time. For God's sake this must be ended !

Anyway, Google is aware of and working on this issue. In the last few days, we've seen 500+ malicious extensions have been taken down.

[Patrick Murphy]

Hi my name is Patrick. I’m the CEO of Brand Thunder. We’ve been in the space for over 10 years working on toolbars and now new tab pages. I take issue with you calling our search offering a “hijack”. We are creating a new tab page and inserting a search box on it that does send queries to out search partners.

The user can always use their URL bar which we do not touch and of course the user can always easily uninstall the extension if they are not happy with our search partners.

So I would rephrase the term “hijack”. It’s not appropriate for this implementation.

[Patrick Murphy]

We should all be honest with each other here. The only true reviews we receive are users asking how to uninstall because they do not realize they installed extension versus a theme.

[Sudar Tedom]

Hey Patrick,

People leave positive reviews too. But you right, more people leave negative ones.

What can you add about the end of 2016 beginning of 2017 about your extensions ratings after certain someone entered the new tab game?

Started seeing a lot of "I don't know how I got this extension" type of negative reviews while freeaddon getting all 5 start? Coincidence?

[Patrick Murphy]

Definitely - the game changed late 2016 for sure.  Up til then, you would search CWS and find a couple Sports Cars NTP.  All of a sudden, freeaddon and happyhey had 4 or 5 for each BRAND of sports car..  

And yes, we always were skeptical when we read the reviews they were receiving.  Getting a user to actually leave a review is challenging enough.. and stats show more people will leave a review when they have negative things to say or have a technical issue. 

BUT, to see reviews that basically are describing freeaddon and happyhey NTPs as " the best thing that ever happen to me!" is laughable.

We keep our heads down, focused on the extension market and other channels we are developing for NTPs.  The CWS is a solid channel for us but it is getting spammed so much now its not our focus.

[Nadia FreeAddon]

Thanks Patrick+Sudar for showing your opinion.

In my point of view, FreeAddon has changed the history of NewTab extensions in Chrome Web Store market for the better.

- Back in 2016, all NewTabs (Brand Thunder, Tabify, MyStart, HappyHey...) were similar design. Search box inside their newtab page was Yahoo and most of them didn't allow users to change it to Google, forcing users to use Yahoo. All of them redirect chrome://newtab to a website, in order to legally inject ads in newtab page, because Google does not allow ads in extension's pages.

- Born in that context, FreeAddon has brought in a fresh design that differentiated us from the others. We always use Google search engine in our newtab, and we've never injected any ads. Our newtab page loads blazing fast because all files are included in source code folder, users download nothing when opening a newtab. Every wallpaper was hand-picked and Photoshop edited.

- We have a Feedback button in our newtab, got around 50-100 feedback per day. Based on what users need, in 2017 we rolled out 400 extensions in different topics, 50+ version updates with bugfixes, improvements and new features that the other newtab never ever had.

- FreeAddon has gone viral. I remember a girl who asked us to make a Bangtan Boys newtab. We released it the next day, then she sent a thank you message and said that all her friends loved it too.

- We've received hundred of emails asking to "buy FreeAddon extensions" or "pay us to inject some javascript", but we always say NO. FreeAddon has taken away a noticetable amount of traffic from the malware distributors. Hence, numerous attacks were launched against us, as these malware distributors desperately want to bring FreeAddon down. HappyHey was one of the suspicious attacker that we mentioned in the article http://freeaddon.com/warning-adware-virus-distributors-are-making-fake-extensions-based-on-freeaddon-sportifytab/

- Fake ratings and reviews do not make you a good product creator. Users may be tricked to install your extension, but in long term they have their judgement to choose the best one to use.