{"id":143536,"date":"2022-03-10T11:26:26","date_gmt":"2022-03-10T19:26:26","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=143536"},"modified":"2024-02-26T23:09:55","modified_gmt":"2024-02-27T07:09:55","slug":"imposter-netflix-chrome-extension-dupes-100k-users","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/","title":{"rendered":"Imposter Netflix Chrome Extension Dupes 100k Users"},"content":{"rendered":"<p><span data-contrast=\"auto\">Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 100,000<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">McAfee Labs has observed th<\/span><span data-contrast=\"auto\">e<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\">e<\/span><span data-contrast=\"auto\"> extension<\/span><span data-contrast=\"auto\">s<\/span><span data-contrast=\"auto\"> are prevalent in USA, Europe and India as we can observe in the h<\/span><span data-contrast=\"auto\">ea<\/span><span data-contrast=\"auto\">tmap<\/span><span data-contrast=\"auto\"> below<\/span><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-145951\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap-1024x502.png\" alt=\"\" width=\"1024\" height=\"502\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap-1024x502.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap-300x147.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap-768x376.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap-205x100.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/netflix-heatmap.png 1100w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>The perpetrator targets over 1,400 domains, where 100 of them belong to the top 10,000 <a href=\"https:\/\/www.alexa.com\/siteinfo\" target=\"_blank\" rel=\"noopener\">Alexa<\/a> ranking including hbomax.com, hotels.com and expedia.com.<\/p>\n<p><span data-contrast=\"auto\">One extension, \u2018Netflix Party\u2019, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143539\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-1.png\" alt=\"\" width=\"602\" height=\"278\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-1.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-1-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-1-205x95.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span class=\"TextRun SCXW50369024 BCX0\" lang=\"EN-GB\" xml:lang=\"EN-GB\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW50369024 BCX0\">The malicious <\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">actor <\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">behind the extension<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">s<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\"> ha<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">s<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\"> created several Twitter accounts and fake review websites to deceive users <\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">into<\/span> <span class=\"NormalTextRun SCXW50369024 BCX0\">trusting and <\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">install<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">ing<\/span> <span class=\"NormalTextRun SCXW50369024 BCX0\">the<\/span> <span class=\"NormalTextRun SCXW50369024 BCX0\">extensions<\/span><span class=\"NormalTextRun SCXW50369024 BCX0\">.<\/span><\/span><span class=\"EOP SCXW50369024 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143581\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Scam-party-2.png\" alt=\"\" width=\"602\" height=\"340\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Scam-party-2.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Scam-party-2-300x169.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Scam-party-2-205x116.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span class=\"TextRun SCXW54891459 BCX0\" lang=\"EN-GB\" xml:lang=\"EN-GB\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW54891459 BCX0\">T<\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">he<\/span><span class=\"NormalTextRun SCXW54891459 BCX0\"> victim will be tricked into installing the extension and their data will be stolen <\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">when <\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">browsing a <\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">gift card<\/span> <span class=\"NormalTextRun SCXW54891459 BCX0\">site<\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">.<\/span><span class=\"NormalTextRun SCXW54891459 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW54891459 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143623\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-3.png\" alt=\"\" width=\"602\" height=\"235\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-3.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-3-300x117.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-3-205x80.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span data-contrast=\"auto\">The details of each step are as follows:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ol>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">They click to install the Extension and accept the permissions.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The victim will enter their gift card information on the phishing page.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1-\" data-font=\"\" data-listid=\"2\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ol>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Technical Analysis<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This section contains the technical analysis of the malicious chrome extension &#8220;<\/span><b><i><span data-contrast=\"auto\">bncibciebfeopcomdaknelhcohiidaoe<\/span><\/i><\/b><i>&#8220;.<\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Manifest.json<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The manifest.json file contains the permissions of the extension. The \u2018unsafe-eval\u2019 permission in the \u2018content_security_policy\u2019 and the allowed use of content.js on any website visited by the user is of particular concern<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-144127\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Background-JS.png\" alt=\"\" width=\"602\" height=\"279\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Background-JS.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Background-JS-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/Background-JS-205x95.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Background.js<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-144085\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-sub.png\" alt=\"\" width=\"602\" height=\"295\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-sub.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-sub-300x147.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-sub-205x100.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span class=\"TextRun SCXW79762343 BCX0\" lang=\"EN-GB\" xml:lang=\"EN-GB\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW79762343 BCX0\">This script <\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">accesses<\/span> <span class=\"NormalTextRun SCXW79762343 BCX0\">https:\/\/accessdashboard[.]live<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\"> to download a script and store it <\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">as variable \u2018code\u2019 in Chrome<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">\u2019<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">s local storage. <\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">This <\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">stored variable<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\"> is then reference<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">d<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\"> in the content.js script<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\">,<\/span><span class=\"NormalTextRun SCXW79762343 BCX0\"> which is executed on every visited website.\u00a0<\/span><\/span><span class=\"EOP SCXW79762343 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-144043\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-content.png\" alt=\"\" width=\"602\" height=\"284\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-content.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-content-300x142.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-content-205x97.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Content.js<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">After beautification, we see the code will read the malicious script from the \u2018code\u2019 variable which was previously stored.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-144001 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-code.png\" alt=\"\" width=\"602\" height=\"135\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-code.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-code-300x67.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-code-205x46.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">\u2018Code\u2019\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The malicious code has three main functions, redirection for phishing, modifying of cookies to add AffiliateIDs, and modifying of website code to add chat windows.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143959\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-phishing-redirect.png\" alt=\"\" width=\"602\" height=\"48\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-phishing-redirect.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-phishing-redirect-300x24.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-phishing-redirect-205x16.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"4\"><i><span data-contrast=\"none\">Redirection for Phishing<\/span><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">URLs monitored are:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"none\">https[:]\/\/<\/span><span data-contrast=\"auto\">www.target.com\/guest\/gift-card-balance<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/www.macys.com\/account\/giftcardbalance<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/www.nike.com\/orders\/gift-card-lookup<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/www.nordstrom.com\/nordstrom-gift-cards<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/www.sephora.com\/beauty\/giftcards<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/www.sephoragiftcardbalance.com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/balance.amexgiftcard.com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/prepaidbalance.americanexpress.com\/GPTHBIWeb\/validateIPAction.do?clientkey=retail%20sales%20channel<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">https[:]\/\/amexprepaidcard.com<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">[:]\/\/secure4.store.apple.com\/shop\/giftcard\/balance<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The image below shows the Apple Phishing site and the various phishing kits being hosted on this server.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143917\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-apple-card.png\" alt=\"\" width=\"602\" height=\"229\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-apple-card.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-apple-card-300x114.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-apple-card-205x78.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span class=\"TextRun SCXW109301573 BCX0\" lang=\"EN-GB\" xml:lang=\"EN-GB\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW109301573 BCX0\">The phishing sites share similar co<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">de<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">s<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">. If a user enters their <\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">gift <\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">card<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\"> information, the data will be posted to <\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">5<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">2.8.106.52<\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">. <\/span><span class=\"NormalTextRun SCXW109301573 BCX0\">A network capture of the post request is shown below:<\/span><\/span><span class=\"EOP SCXW109301573 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143875\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-modifying.png\" alt=\"\" width=\"602\" height=\"502\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-modifying.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-modifying-300x250.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-modifying-155x129.png 155w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"4\"><i><span data-contrast=\"none\">Modifying of cookies to add AffiliateIDs<\/span><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143833\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-flow.png\" alt=\"\" width=\"602\" height=\"378\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-flow.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-flow-300x188.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-flow-205x129.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"\" data-listid=\"4\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">A user navigates to a retail website<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1.\" data-font=\"\" data-listid=\"4\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1.\" data-font=\"\" data-listid=\"4\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">The user will be unaware that a cookie would have been set and they will continue to browse the website.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1.\" data-font=\"\" data-listid=\"4\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143791\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-cookies.png\" alt=\"\" width=\"602\" height=\"227\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-cookies.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-cookies-300x113.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-cookies-205x77.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<h2 aria-level=\"4\"><i><span data-contrast=\"none\">Chat Windows<\/span><\/i><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143749\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-chat-window.png\" alt=\"\" width=\"602\" height=\"249\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-chat-window.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-chat-window-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-chat-window-205x85.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span data-contrast=\"auto\">The chat window may be used by the malicious actor to request PII data, credit card, and product key information.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143707\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-webadvisor.png\" alt=\"\" width=\"602\" height=\"182\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-webadvisor.png 602w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-webadvisor-300x91.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-webadvisor-205x62.png 205w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/p>\n<p><span class=\"TextRun SCXW46095663 BCX0\" lang=\"EN-GB\" xml:lang=\"EN-GB\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW46095663 BCX0\">McAfee customers are protected against the<\/span><span class=\"NormalTextRun SCXW46095663 BCX0\"> malicious sites detailed in this blog <\/span><span class=\"NormalTextRun SCXW46095663 BCX0\">as they are blocked with McAfee WebAdvisor<\/span><span class=\"NormalTextRun SCXW46095663 BCX0\"> as shown below.<\/span><span class=\"NormalTextRun SCXW46095663 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW46095663 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-143665\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-mal-code.png\" alt=\"\" width=\"462\" height=\"195\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-mal-code.png 462w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-mal-code-300x127.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/scam-party-mal-code-205x87.png 205w\" sizes=\"auto, (max-width: 462px) 100vw, 462px\" \/><\/p>\n<p><span data-contrast=\"auto\">The Malicious code within the extension is detected as Phish-Extension. Please perform a \u2018Full\u2019 scan via the product.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<table data-tablestyle=\"MsoTableGrid\" data-tablelook=\"1184\" aria-rowcount=\"15\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Type<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Value<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Product<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Detected<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">URL \u2013 Phishing Sites<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">164.90.141.88\/*<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">McAfee WebAdvisor<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Blocked<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">netflix-party &#8211; bncibciebfeopcomdaknelhcohiidaoe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">teleparty &#8211; flddpiffdlibegmclipfcnmaibecaobi<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">hbo-max-watch-party &#8211; dkdjiiihnadmgmmfobidmmegidmmjobi<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">prime-watch-party &#8211; hhllgokdpekfchhhiknedpppjhgicfgg<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">private-watch-party &#8211; maolinhbkonpckjldhnocgilkabpfodc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">hotstar-ad-blocker &#8211; hacogolfhplehfdeknkjnlblnghglfbp<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"9\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">hbo-ad-blocker &#8211; cbchmocclikhalhkckeiofpboloaakim<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"10\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">blocksite &#8211; pfhjfcifolioiddfgicgkapbkfndaodc<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"11\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">hbo-enhanced &#8211; pkdpclgpnnfhpapcnffgjbplfbmoejbj<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"12\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">hulu-watch-party &#8211; hkanhigmilpgifamljmnfppnllckkpda<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"13\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">disney-plus-watch-party &#8211; flapondhpgmggemifmemcmicjodpmkjb<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"14\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">spotify-ad-blocker &#8211; jgofflaejgklikbnoefbfmhfohlnockd<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"15\">\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Chrome Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">ott-party &#8211; lldibibpehfomjljogedjhaldedlmfck<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Total Protection and LiveSafe<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<td data-celllook=\"0\"><span data-contrast=\"auto\">Phish-Extension<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:259}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed,&#8230;<\/p>\n","protected":false},"author":695,"featured_media":144211,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[14521,5941],"coauthors":[4136],"class_list":["post-143536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-scam","tag-scams"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-10T19:26:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-27T07:09:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Imposter Netflix Chrome Extension Dupes 100k Users\",\"datePublished\":\"2022-03-10T19:26:26+00:00\",\"dateModified\":\"2024-02-27T07:09:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\"},\"wordCount\":1247,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg\",\"keywords\":[\"scam\",\"scams\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\",\"name\":\"Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg\",\"datePublished\":\"2022-03-10T19:26:26+00:00\",\"dateModified\":\"2024-02-27T07:09:55+00:00\",\"description\":\"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Imposter Netflix Chrome Extension Dupes 100k Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog","description":"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog","og_description":"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2022-03-10T19:26:26+00:00","article_modified_time":"2024-02-27T07:09:55+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Imposter Netflix Chrome Extension Dupes 100k Users","datePublished":"2022-03-10T19:26:26+00:00","dateModified":"2024-02-27T07:09:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/"},"wordCount":1247,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg","keywords":["scam","scams"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/","name":"Imposter Netflix Chrome Extension Dupes 100k Users | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg","datePublished":"2022-03-10T19:26:26+00:00","dateModified":"2024-02-27T07:09:55+00:00","description":"Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi\u00a0 McAfee has recently observed several malicious Chrome Extensions which, once installed, will","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/03\/300x200_Blog_scamparty.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/imposter-netflix-chrome-extension-dupes-100k-users\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Imposter Netflix Chrome Extension Dupes 100k Users"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/143536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=143536"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/143536\/revisions"}],"predecessor-version":[{"id":184269,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/143536\/revisions\/184269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/144211"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=143536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=143536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=143536"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=143536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}