“Tired of advertising? Disable it in one click — just install the extension”
Today I saw a sketchy Facebook ad, an empty “Blogging” site with stock photos advertised an “Ad blocker for Facebook”.
I checked out the site, and saw that it only had negative reviews, stating that it didn’t work and slowed down their browser. This made me curious.
The extension claims to block out Facebook advertisements, and — ironically — advertises itself on Facebook for it. This stragety is quite simple but ingenious, I mean who likes to see ads while browsing Facebook? Also if you are seeing their advertisement, you obviously have no AdBlocker installed for it.
The Chrome Web Store says it has a total of 10k+ users.
Behind the Scenes
Analyzing Google Chrome Extensions can be quite easy, atleast when the code — like in this example — isnt obfuscated.
You can just download it, get the unique extension ID from chrome://extensions, and then look at the source code found in your Profile Folder\Extensions\IDofYourExtension.
The Extension folder has 4 subfolders, a empty .vs folder, suggesting that the developers used Visual Studio, a _metadata folder filled with file hashes, this seems to be a Chrome Extension standard to guarantee that the files haven’t been modified or corrupted, a img folder with the extension logo, and finally the interesting part: A folder named js.
We will focus on 2 files: background.js and fb3.js
To my understanding, all these files are executed when the Chrome extension is installed, I might be wrong.
In background.js, a listener is added when the Chrome extension is installed, it waits 25 seconds until it executes the function s_fun_en()
The delay of 25 seconds is interesting, the extension tries to not raise suspicion with a variety of timing strageties.
The function s_fun_en() is full of these timing strageties. First it creates a timestamp, and saves it to the variable n, which will later be compared to the app.lt variable, while ensuring that app.lt is not the default value of 0.
app.lt is the timestamp of installation, the function s_fun_en() results in nothing until 11 hours have passed since the installation.
This condition is true when n (the current timestamp) is bigger than the installation timestamp + 11 hours.
If 11 hours have passed the extension begins working: It removes 2 cookies from Facebook, resulting in deauthentication, and also marks the time when the user was kicked out of his Facebook account in the app.ltr variable.
This helps the extension to remain under the radar, so the user does not raise suspicion when he is logged out directly after installing this extension.
This is when we have a look at the fb3.js file, it listens for the moment when the user is logging into Facebook again.
The extension saves the E-Mail and password, and sends it to the message listener in background.js
The listener saves the E-Mail and password combination into the app.ld variable, and proceeds to store the c_user cookie in app.u, containing the unique ID of the victims Facebook profile. If it can’t find this cookie, it executes the function again, until it gives up after a minute.
The fb3.js has another function, which constantly tries to grab the Facebook access token, if it succeeds it is also stored in app.t
So now the extension has successfully grabbed the E-Mail and Password, the unique ID, and the access token.
The obtained information is quite critical, the E-Mail and Password could be used to access the users Facebook account, or to access other accounts in which the same combination is used.
The extension has gathered a lot of information, the breaking point however is how it transfers this information back to the owner.
Typically, malware has a breaking point: The Dropping of it’s stolen data.
While code can be obfuscated, and (most of the times) gives no clue to whoever made it, the malware has to contact some server (which can be reported, to law enforcement or easier the hosting provider) to submit it’s findings.
After all the work on the local side is done, background.js get’s to work again:
It checks if all the needed data is grabbed, and saves the E-Mail password combination into d, base64 encodes it, and then embeds a picture.
The picture is generated from www.en-antibanner.ru/img.php , and the extension adds a lot of parameters to it.
This picture is 1x1 big, so you really wouldn’t see it.
Calling an image, rather than making a POST request to some sketchy server, is less likely to be detected.
I reported the extension to the Chrome Web Store and Facebook, I will talk more about in a second.
I had a quite funny idea: What would happen if you would trash their database by adding tons and tons of random data. They would get the infected users credentials for sure, but they would have to search for it between all the junk data.
You can add fake data by visiting this JSFiddle and hitting the “Run” Button, once, twice or maybe a thousand times.
Thank you for reading! I am not quite sure how to think about this, Chrome Web Store has virtually no security measures, I wasn’t warned that this file could be a virus and the extension seems to be able to do just about everything, while users can install it with one-click.
I will do a follow up blog post in which I try to track down the owners via OSINT.