Imposter Netflix Chrome Extension Dupes 100k Customers



Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi 

McAfee has not too long ago noticed a number of malicious Chrome Extensions which, as soon as put in, will redirect customers to phishing websites, insert Affiliate IDs and modify authentic web sites to exfiltrate personally identifiable info (PII) knowledge. In accordance with the Google Extension Chrome Retailer, the mixed set up base is 100,000 

McAfee Labs has noticed these extensions are prevalent in USA, Europe and India as we will observe within the heatmap under. 

The perpetrator targets over 1,400 domains, the place 100 of them belong to the highest 10,000 Alexa rating together with, and

One extension, ‘Netflix Occasion’, mimics the unique Netflix Occasion extension, which permits teams of individuals to observe Netflix exhibits on the similar time. Nonetheless, this model displays all of the web sites you go to and performs a number of malicious actions.  

The malicious actor behind the extensions has created a number of Twitter accounts and pretend assessment web sites to deceive customers into trusting and set uping the extensions. 

The sufferer can be tricked into putting in the extension and their knowledge can be stolen when searching a reward card web site.  

The main points of every step are as follows: 

  1. The perpetrator creates malicious extensions and provides them to the Chrome Extension Retailer. They create faux web sites to assessment the extensions and pretend Twitter accounts to publicize them.  
  2. A sufferer might carry out an online or Twitter seek for Netflix Occasion, learn the assessment and click on on a hyperlink that may cause them to the Google Chrome Retailer.  
  3. They click on to put in the Extension and settle for the permissions. 
  4. The sufferer will both carry out an online search or straight navigate to the reward card web site. The Extension will establish the web site and redirect them to the phishing web page. 
  5. The sufferer will enter their reward card info on the phishing web page. 
  6. The reward card info is posted to the server to which the malicious actor has entry. They’ll now use or promote the stolen knowledge and the sufferer will lose their funds. 

Technical Evaluation 

This part accommodates the technical evaluation of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“. 


The manifest.json file accommodates the permissions of the extension. The ‘unsafe-eval’ permission within the ‘content_security_policy’ and the allowed use of content material.js on any web site visited by the person is of explicit concern 


When the extension is put in, the background.js script can be loaded. This file makes use of a easy obfuscation strategy of placing all of the code on one line which makes it tough to learn. That is simply cleaned up through the use of a code beautifier and the picture under exhibits the obfuscated script on the primary line and the cleaned-up code under the crimson arrow.  

This script accesses https://accessdashboard[.]dwell to obtain a script and retailer it as variable ‘code’ in Chromes native storage. This saved variable is then referenced within the content material.js script, which is executed on each visited web site.  

Content material.js 

After beautification, we see the code will learn the malicious script from the ‘code’ variable which was beforehand saved. 


The malicious code has three major capabilities, redirection for phishing, modifying of cookies so as to add AffiliateIDs, and modifying of web site code so as to add chat home windows.  

Redirection for Phishing 

Redirection for phishing works by checking if the URL being accessed matches an inventory, and conditionally redirects to a malicious IP that hosts the phishing web site.  

URLs monitored are: 

  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • https[:]// 
  • [:]// 

Upon navigating to one of many above websites, the person can be redirected to 164[.]90[.]144[.]88. An observant person would discover that the URL would have modified to an IP deal with, however some customers might not. 

The picture under exhibits the Apple Phishing web site and the assorted phishing kits being hosted on this server. 

The phishing websites share related codes. If a person enters their reward card info, the info can be posted to A community seize of the publish request is proven under: 

Modifying of cookies so as to add AffiliateIDs 

The second malicious perform accommodates AIPStore which is a dictionary containing an inventory of URLs and their respective monetizing websites which give affiliate IDs. This perform works by loading new tabs which is able to lead to cookies being set on the visited websites. The circulation under describes how the extension will work. 

  1. A person navigates to a retail web site 
  2. If the retail web site is contained within the AIPStore keymap, the extension will load a brand new tab with a hyperlink to a monetizing web site which units the cookie with the affiliate ID. The brand new tab is then closed, and the cookie will persist.  
  3. The person can be unaware {that a} cookie would have been set and they’ll proceed to browse the web site. 
  4. Upon buying any items, the Affiliate ID can be acknowledged by the positioning vendor and fee can be despatched to the Affiliate ID proprietor which might be the Malicious Actor 

The left picture under exhibits the unique web site with no affiliate cookie, the one on the fitting highlights the cookie that has been added by the extension. 

Chat Home windows 

The ultimate perform checks an inventory of URLs being accessed and in the event that they match, a JS script can be injected into the HTML code which is able to lead to a chat window being displayed. The picture under exhibits the injected script and the chat window. 

The chat window could also be utilized by the malicious actor to request PII knowledge, bank card, and product key info. 


This menace is an effective instance of the lengths malicious actors will go to trick customers into putting in malware akin to creating Twitter accounts and pretend assessment web sites.  

McAfee advises its prospects to be cautious when putting in Chrome Extensions and take note of the permissions that they’re requesting.  

The permissions can be proven by Chrome earlier than the set up of the Extension. Prospects ought to take further steps to confirm the authenticity if the extension is requesting permissions that allow it to run on each web site you go to such because the one detailed on this weblog 

McAfee prospects are protected in opposition to the malicious websites detailed on this weblog as they’re blocked with McAfee WebAdvisor as proven under.  

The Malicious code inside the extension is detected as Phish-Extension. Please carry out a ‘Full’ scan through the product. 

Kind  Worth  Product  Detected 
URL – Phishing Websites*  McAfee WebAdvisor  Blocked 
Chrome Extension  netflix-party – bncibciebfeopcomdaknelhcohiidaoe  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  teleparty – flddpiffdlibegmclipfcnmaibecaobi  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  private-watch-party – maolinhbkonpckjldhnocgilkabpfodc  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  blocksite – pfhjfcifolioiddfgicgkapbkfndaodc  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd  Whole Safety and LiveSafe  Phish-Extension 
Chrome Extension  ott-party – lldibibpehfomjljogedjhaldedlmfck  Whole Safety and LiveSafe  Phish-Extension