In the previous article about the Unimania spyware campaign I promised to tell you more about the privacy issues discovered during our automated scan of many Google Chrome extensions. This took me a while, and I apologize for the delay.
Privacy protection is basically what we do, so I never get tired of stories about how unpredictable the ways of getting Facebook user data are. Cambridge Analytica might be dead, but the business of stealing users’ data lives on, and this article demonstrates one more example of that.
According to the PageFair 2014 report, Google Chrome is a major driver of adblock growth. 20% of users discovered ad blocking by browsing “available browser extensions”. Given how popular ad blocking is, it is quite a lot. This also explains why "cloning" wide-spread ad blockers has become so popular among online crooks. Seven months ago big news broke: 37,000 users were tricked into installing a fake Adblock Plus extension.
What if I told you that thanks to poor Chrome's WebStore moderation the situation is much worse, and in reality over 20,000,000 users are affected and tricked into installing fake malicious ad blockers?
Calls to "delete Facebook" across different social media are growing in popularity. This is users’ reaction to recent publications in media about how a certain analytics company purchased personal data of 50 Million Facebook users from one of the app’s developer, and then proceeded to use this information to influence elections and political campaigns outcomes.
Back in December 2017, we added a mechanism that allowed users to optionally report websites whenever a cryptojacking script is detected by AdGuard. It proved useful right away and allowed us to discover the largest known cryptojacking campaign, which was being run by some popular video streaming websites. Since then we have received more than a million user reports, and now it's time to analyze them.
Over the last two months, we received over 1.3 Million reports on more than 120 thousand websites. It's important to notice that sometimes cryptojacking was detected on some legitimate websites (Google, Youtube, Instagram, etc) and this is most likely caused by malicious browser extensions or malvertising.
However, 40% (over half a million) of the reports came from just 50 domains. Let's take a deeper look into what the top cryptojackers do.