https://krebsonsecurity.com/2021/05/using-fake-reviews-to-find-dangerous-extensions/ Advertisement [11] Advertisement [53] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking Using Fake Reviews to Find Dangerous Extensions May 29, 2021 9 Comments Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here's the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data. [cs-msauthcomments] Comments on the fake Microsoft Authenticator browser extension show the reviews for these applications are either positive or very negative -- basically calling it out as a scam. Image: chrome-stats.com. After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars. "It's great!," the Google account Theresa Duncan enthused, improbably. "I've only had very occasional issues with it." "Very convenient and handing," assessed Anna Jones, incomprehensibly. Google's Chrome Store said the email address tied to the account that published the knockoff Microsoft extension also was responsible for one called "iArtbook Digital Painting." Before it was removed from the Chrome Store, iArtbook had garnered just 22 users and three reviews. As with the knockoff Microsoft extension, all three reviews were positive, and all were authored by accounts with first and last names, like Megan Vance, Olivia Knox, and Alison Graham. Google's Chrome Store doesn't make it easy to search by reviewer. For that I turned to Hao Nguyen, the developer behind chrome-stats.com, which indexes and makes searchable a broad array of attributes about extensions available from Google. Looking at the Google accounts that left positive reviews on both the now-defunct Microsoft Authenticator and iArtbook extensions, KrebsOnSecurity noticed that each left positive reviews on a handful of other extensions that have since been removed. [iartbook] Reviews on the iArtbook extension were all from apparently fake Google accounts that each reviewed two other extensions, one of which was published by the same developer. This same pattern was observed across 45 now-defunct extensions. Like an ever-expanding venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions. In total, roughly 24 hours worth of digging through chrome-stats.com unearthed more than 100 positive reviews on a network of patently fraudulent extensions. Those reviews in turn lead to the relatively straightforward identification of: -39 reviewers who were happy with extensions that spoofed major brands and requested financial data -45 malicious extensions that collectively had close to 100,000 downloads -25 developer accounts tied to multiple banned applications The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts. Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period. [msteams-fakeapp] More than 16,000 people downloaded a fake Microsoft Teams browser extension over the roughly two months it was available for download from the Google Chrome store. Unlike malicious browser extensions that can turn your PC into a botnet or harvest your cookies, none of the extensions examined here request any special permissions from users. Once installed, however, they invariably prompt the user to provide personal and financial data -- all the while pretending to be associated with major brand names. In some cases, the fake reviewers and phony extension developers used in this scheme share names, such as the case with "brook ice," the Google account that positively reviewed the malicious Adobe and Microsoft Teams extensions. The email address brookice100@gmail.com was used to register the developer account responsible for producing two of the phony extensions examined in this review (PhotoMath and Dollify). [extensionreviewers] Some of the data that informed this report. The full spreadsheet is available as a link at the end of the story. As we can see from the spreadsheet snippet above, many of the Google accounts that penned positive reviews on patently bogus extensions left comments on multiple apps on the same day. Additionally, Google's account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email -- suggesting a relatively few number of anonymous users are controlling the entire scheme. When the spreadsheet data shown above is sorted by email address of the extension developer, the grouping of the reviews by date becomes even clearer. KrebsOnSecurity shared these findings with Google and will update this story in the event they respond. Either way, Google somehow already detected all of these extensions as fraudulent and removed them from its store. However, there may be a future post here about how long that bad extension identification and removal process has taken over time. Overall, most of these extensions were available for two to three months before being taken down. As for the "so what?" here? I performed this research mainly because I could, and I thought it was interesting enough to share. Also, I got fascinated with the idea that finding fake applications might be as simple as identifying and following the likely fake reviewers. I'm positive there is more to this network of fraudulent extensions than is documented here. As this story illustrates, it pays to be judicious about installing extensions. Leaving aside these extensions which are outright fraudulent, so many legitimate extensions get abandoned or sold each year to shady marketers that it's wise to only trust extensions that are actively maintained (and perhaps have a critical mass of users that would make noise if anything untoward happened with the software). According to chrome-stats.com, the majority of extensions -- more than 100,000 of them -- are effectively abandoned by their authors, or haven't been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base. The information that informed this report is searchable in this Google spreadsheet. This entry was posted on Saturday 29th of May 2021 12:14 PM A Little Sunshine Breadcrumbs adobe Amazon brookice100@gmail.com CapCut chrome-stats.com Facebook google Google Chrome Store Hao Nguyen HBO microsoft Microsoft Authenticator Roku Verizon [109] Post navigation - Boss of ATM Skimming Syndicate Arrested in Mexico 9 thoughts on "Using Fake Reviews to Find Dangerous Extensions" 1. Roboman May 29, 2021 I use Fakespot Chrome plug-in to spot fake reviews on Aamzon.com and eBay. It says it used "artificial intelligence that has been trained to pick up on patterns." It scans for reviewers and then checks there other reviews. Sounds like a similar AI/ML approach could be tried with these app stores with other attributes added like how often the apps is updated. Reply - 1. Three Things May 29, 2021 I am sure I'm missing out on a lot of opportunities by not using plug-ins. Having said that, my first reaction was "so, how do I know that "Fakespot" is legit / stays legit? (see Phil's comments later in the comment list) My second thought was "if Fakespot is good at what it does, then why doesn't Amazon automatically run something like that and remove (or annotate somehow) more suspicious comments for everyone and not just Fakespot users. Clearly, I'm wading through a lot of my own ignorance here - but thank you for your comment - it gives me more to think about. Reply - 2. GPTDesign May 29, 2021 Very eye-opening article. As a rule of thumb, it might be wise to only use extensions that have existed for a longer period of time. Never hop onto a new extension when it first appears. Good to see that Google is apparently actively looking for such fraudulent extensions. I learn a lot by reading Krebs on Security. Reply - 1. boko May 29, 2021 > Never hop onto a new extension Then who will ever try it ? Reply - 2. Kevin May 29, 2021 I don't agree with you. If you remember what has happed with The Great Suspender extension which was used by millions of people. So, users are at risk whether the extension is new or old. It all depends on the developer's intent. Reply - 3. Kurt Seifried May 29, 2021 I knew a "Christian David" and the stories he had about companies refusing to believe that his name was actually that, or the comical glitches that occurred (likely due to a person trying to "fix" it) were wonderful. I also knew someone with the surname James because INS mixed up his dads first and last name and fixing it would be a Herculean task ("computer says no"). So please be careful using "firstname firstname" as an indicator of shenanigans, a lot of legitimate people will get nailed. Reply - 4. Phil May 29, 2021 I think it might be more useful if the apps could adopt an independent certification that their source code was found to be clean, that they have not been sold off to bypass security checks and that they do not cause issues whether intentional or not. Google is unable to moderate their own store, so maybe there needs to be another website with a short list of safe apps? Reply - 5. Firehawke May 29, 2021 This reminds me a lot of how I would track and clear out scam email accounts on a email provider I worked at twenty years ago. I'd start with the IP address of the account that had been confirmed to be spamming scam emails (inevitably Nigerian-style) and see what other email addresses came up from that IP. Then run a grep through those accounts for key phrases used in Nigerian scams and confirm those instances. Check the IPs on those, and you'd end up with an entire tree of scam accounts shut down from a single report. Best of all, you could do this without violating anyone's privacy by just looking for the obvious key word combinations. Reply - 6. The Sunshine State May 29, 2021 Thanks for sharing the information ! Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [115] Advertisement [110] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * Using Fake Reviews to Find Dangerous Extensions * Boss of ATM Skimming Syndicate Arrested in Mexico * How to Tell a Job Offer from an ID Theft Trap * Recycle Your Phone, Sure, But Maybe Not Your Number * Try This One Weird Trick Russian Hackers Hate Spam Nation Spam Nation A New York Times Bestseller! All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security