nEnhancer Chrome extension is indulging in malicious behavior, says a report. A network and security consultant recently reported that the extension is indulged in malicious behavior. As per the report, the extension works as a fraud affiliate, hijacks the users identity and tags them to generate referral fees and affiliate revenue. Once installed, this malware inspects your web activity and operates as a buyer or a visitor on your behalf. The malicious activity being done via your own browser seems legit thereby leading to a considerable affiliate fraud.
Collin Chaffin posted a comment on our site:
“…see the following regarding the nEnhancer extension – I have done security analysis and recorded webcast showing this extension is malicious malware. I too have run it for years and had no idea but recently it changed/elevated it’s permissions and I did not think anything until yesterday when the server that was mirroring all my web activity went down briefly – and as a network/security consultant with almost 30yrs under my belt I began to investigate.”
nEnhancer is a popular Netflix Chrome Extension available at the Chrome Store and it is designed to enhance Netflix viewing. It is already an ad-supported program which automatically makes it a profit generating program.
It now seems to have some elevated permissions wherein it associates all your activities on the e-commerce websites with a fraudulent referral ID to generate the affiliate revenue, may it be just surfing and browsing or purchasing. The extension monitors your web activities as well as the search queries to serve you the targeted ads based on the interests. The extension delivers different formats of ads which include the contextual ads, pop-up ads, full page ads, and the redirects. While these ads are safe usually, but the cyber-criminals can certainly use them to spread the malicious program in your PC.
The reports states:
The attack we have encountered is highly sophisticated — it utilizes real users’ web browsers in what is called a Man in the Browser attack. It does this by installing and distributing “malware” in the form of a browser extension on an actual user’s device. Once installed, the software can inspect the user’s activity and operate on the user’s behalf without the user’s knowledge (clicking and opening different sites in hidden iframes, for instance). Running from within the browser while the true user is active makes it extremely hard to detect the malicious activity or distinguish between the user’s activities and those of the malware.
Check out the detailed YouTube video shot by the security analyst to know more about the malicious behavior of nEnhancer Chrome extension.
Once the extension is installed, it will do several things to help protect itself from being detected. It will wait for a period of a week or two before indulging in any malicious activity, to hide its true nature from anyone monitoring its activity. It will then download a payload that will include a list of domains it wants to defraud.
Read more about it at the source.