The Inquirer-Home

Fake Evernote extension is spamming Chrome users, warns Malwarebytes

Works to spam users with unwanted ads by injecting JavaScript into each page they visit
Tue Aug 19 2014, 12:55

Evernote for Android is great for people who need instant cloud-based note taking functionalitySECURITY FIRM Malwarebytes has warned of a fake Evernote extension for Chrome that spams users with unwanted advertisements by injecting Javascript into every webpage they visit.

The vulnerability means that on the surface, it looks like the popups and advertisements are coming from the websites users are visiting, when they are actually coming from the fake Evernote web extension.

Researchers at the company discovered the vulnerability in a "multi-plug PUP" file, which installs the fake Evernote browser extension.

"A quick look shows the PUP is digitally signed by 'Open Source Developer, Sergei Ivanovich Drozdov', although the certificate has since been revoked by the Issuer. This serves as another reminder that you can't always trust a program just because it's digitally signed," said Malwarebytes malware intelligence analyst Joshua Cannell in an email sent to The INQUIRER.

"When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. These files [are] installed in Chrome's extension directory on a Windows 7 PC."

For Google Chrome, the installation of the web extension is achieved by updating the "Preferences" file, which is a Javascript Object Notation (JSON) formatted file used to configure Chrome user preferences. The extension that's installed is called "Evernote Web", just like the real extension from evernote.com, but when taking a look at the Chrome extensions page, Malwarebytes found the extension installed there with the ID "lbfehkoinhhcknnbdgnnmjhiladcgbol", just like the real Evernote Web extension.

"Clicking 'Visit website' directs the user to the Chrome webstore page for the actual Evernote Web extension," Cannell added. "Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote login screen."

Cannell explained that this is because the extension uses a content script to run in the context of the webpages a user browses.

"The content script is guaranteed to be loaded into every web page using the extension manifest (manifest.json). When visiting webpages, you'll get a series of annoying advertisements, all leading to potentially more unwanted programs and offers," he added.

To remove the extension, Chrome users need to visit the extensions tab in the browser and click the picture of a garbage can.

Evernote hit the headlines for its security concerns last year when it emerged that its network had been compromised by hackers.

The online note-taking service issued a password reset for all users after the discovery. It said that it "discovered and blocked" suspicious activity on its network, but claimed that no user data was compromised during the intrusion.

"In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," Evernote said. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?