Over 1.4 million devices have reportedly installed a suite of malicious Google Chrome extensions designed to monitor browsing activity.
According to a blog post by security firm McAfee, the scam works by changing the victim's browser cookies whenever they visit an online store, giving the scammer a cut of the victim's purchases.
McAfee reports that the remaining Netflix Party extensions are still available for download, despite the removal of two of them from the official extension marketplace.
The malicious add-ons do not immediately pose a security risk because they are not meant to exfiltrate sensitive information or install malware payloads, but they are a clear breach of privacy nonetheless.
Users are becoming increasingly reluctant to part with their browsing data, as evidenced by the rising popularity of virtual private network (VPN) services and other solutions designed to conceal online activity.
The fact that the add-ons all do useful things in addition to laying the groundwork for the affiliate revenue ploy makes the scam hard to detect. They have widespread praise, so would-be victims would have no idea a scam was being run right under their noses.
According to McAfee, "the extensions offer various functions, such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website."
Users aren't aware that their browsing history is being transmitted to the extension developers' servers, which poses a privacy risk.
Meanwhile, the operators programmed some of the extensions to begin tampering with browser cookies several weeks after the date of installation, in an effort to avoid detection by analysts.
Users of Google's Chrome web browser who discover they have the malicious extensions installed should uninstall them manually right away.
List of malicious add-ons:
- Netflix Party
- Netflix Party 2
- FlipShope - Price Tracking Extension
- Full Page Screenshot Capture - Screenshotting
- AutoBuy Flash Sales