Impreza Portal
Sign InMy ServicesMy DomainsMy InvoicesMy Tickets
News
Celebrative Logos
Our Platform
Carbon Removal Commitment
Tutorials
Video TutorialsKnowledge Base
More
UptimeNetwork StatusWHOISAffiliatesJobsAbout us
Contact
Submit TicketSend an EmailTelegramReport Abuse
Check it out
HOMEDOMAINS
CONTACT
1
Login
Sign InCreate an Account
No Comments

Fake Tools on Chrome Found Redirecting Revenue and Harvesting Sensitive Data

 

Cybersecurity researchers recently uncovered malicious Google Chrome extensions that actively hijack affiliate links, steal user data, and collect OpenAI ChatGPT authentication tokens.

Amazon Ads Blocker Masks Hidden Affiliate Abuse

One of the extensions involved, Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj), claims to let users browse Amazon without sponsored content. Publisher “10Xprofit” uploaded the extension to the Chrome Web Store on January 19, 2026.

“The extension does block ads as advertised, but its primary function is hidden: it automatically injects the developer’s affiliate tag (10xprofit-20) into every Amazon product link and replaces existing affiliate codes from content creators,” Socket security researcher Kush Pandya said.

Further analysis revealed that Amazon Ads Blocker operates as part of a broader cluster of 29 browser extensions targeting major e-commerce platforms, including AliExpress, Amazon, Best Buy, Shein, Shopify, and Walmart. The full list includes:

  • AliExpress Invoice Generator (FREE) – AliInvoice™️ (10+ Templates) (ID: mabbblhhnmlckjbfppkopnccllieeocp)
  • AliExpress Price Tracker – Price History & Alerts (ID: loiofaagnefbonjdjklhacdhfkolcfgi)
  • AliExpress Quick Currency & Price Converter (ID: mcaglpclodnaiimhicpjemhcinjfnjce)
  • AliExpress Deals Countdown – Flash Sale Timer (ID: jmlgkeaofknfmnbpmlmadnfnfajdlehn)
  • 10Xprofit – Amazon Seller Tools (FBA & FBM) (ID: ahlnchhkedmjbdocaamkbmhppnligmoh)
  • Amazon Ads Blocker (ID: pnpchphmplpdimbllknjoiopmfphellj)
  • Amazon ASIN Lookup 10xprofit (ID: ljcgnobemekghgobhlplpehijemdgcgo)
  • Amazon Search Suggestion (ID: dnmfcojgjchpjcmjgpgonmhccibjopnb)
  • Amazon Product Scraper 10xprofit (ID: mnacfoefejolpobogooghoclppjcgfcm)
  • Amazon Quick Brand Search (ID: nigamacoibifjohkmepefofohfedblgg)
  • Amazon Stock Checker 999 (ID: johobikccpnmifjjpephegmfpipfbfme)
  • Amazon Price History Saver (ID: kppfbknppimnoociaomjcdgkebdmenkh)
  • Amazon ASIN Copy (ID: aohfjaadlbiifnnajpobdhokecjokhab)
  • Amazon Keyword Cloud Generator (ID: gfdbbmngalhmegpkejhidhgdpmehlmnd)
  • Amazon Image Downloader (ID: cpcojeeblggnjjgnpiicndnahfhjdobd)
  • Amazon Negative Review Hider (ID: hkkkipfcdagiocekjdhobgmlkhejjfoj)
  • Amazon Listing Score Checker (ID: jaojpdijbaolkhkifpgbjnhfbmckoojh)
  • Amazon Keyword Density Searcher (ID: ekomkpgkmieaaekmaldmaljljahehkoi)
  • Amazon Sticky Notes (ID: hkhmodcdjhcidbcncgmnknjppphcpgmh)
  • Amazon Result Numbering (ID: nipfdfkjnidadibpbflijepbllfkokac)
  • Amazon Profit Calculator Lite (ID: behckapcoohededfbgjgkgefgkpodeho)
  • Amazon Weight Converter (ID: dfnannaibdndmkienngjahldiofjbkmj)
  • Amazon BSR Fast View (ID: nhilffccdbcjcnoopblecppbhalagpaf)
  • Amazon Character Count & Seller Tools (ID: goikoilmhcgfidolicnbgggdpckdcoam)
  • Amazon Global Price Checker (ID: mjcgfimemamogfmekphcfdehfkkbmldn)
  • BestBuy Search By Image (ID: nppjmiadmakeigiagilkfffplihgjlec)
  • SHEIN Search By Image (ID: mpgaodghdhmeljgogbeagpbhgdbfofgb)
  • Shopify Search By Image (ID: gjlbbcimkbncedhofeknicfkhgaocohl)
  • Walmart Search By Image (ID: mcaihdkeijgfhnlfcdehniplmaapadgb)

Automatic Affiliate Injection Operates Without User Consent

While “Amazon Ads Blocker” delivers its advertised ad-blocking functionality, it simultaneously embeds malicious code that scans all Amazon product URLs for affiliate tags—without any user interaction—and replaces them with “10xprofit-20” (or “_c3pFXV63” for AliExpress). When no affiliate tag exists, the code appends the attacker’s tag directly to the URL.

Additionally, Socket observed that the Chrome Web Store listing makes misleading disclosures by claiming that developers earn a “small commission” only when users apply coupon codes during purchases.

Affiliate links remain widely used across websites and social media platforms. These URLs contain unique identifiers that track referrals and sales for specific marketers. When users complete a purchase through such links, affiliates earn a percentage of the sale.

However, because the extensions actively search for and replace existing affiliate tags, content creators lose commissions whenever users who installed the add-ons click their shared links.

This behavior directly violates Chrome Web Store policies, which require extensions using affiliate links to clearly disclose their behavior, obtain user consent before each injection, and avoid replacing existing affiliate codes.

“The disclosure describes a coupon/deal extension with user-triggered reveals. The actual product is an ad blocker with automatic link modification,” Pandya explained. “This mismatch between disclosure and implementation creates false consent.”

“The extension also violates the Single Purpose policy by combining two unrelated functions (ad blocking and affiliate injection) that should be separate extensions.”

Data Scraping, Exfiltration, and Fake Urgency Tactics

Beyond Affiliate Hijacking, researchers found that the extensions scrape product data and Exfiltrate it to “app.10xprofit[.]io.” Extensions targeting AliExpress also deploy fake “LIMITED TIME DEAL” Countdown timers on product pages to Manufacture urgency and push users toward quick purchases that generate affiliate commissions.

“Extensions that combine unrelated functionality (ad blocking, price comparison, coupon finding) with affiliate injection should be treated as high-risk, particularly those with disclosures that don’t match the actual code behavior,” Socket said.

Meanwhile, Broadcom-owned Symantec flagged four separate extensions with a combined user base Exceeding 100,000 users, all designed to steal data:

  • Good Tab (ID: glckmpfajbjppappjlnhhlofhdhlcgaj), which grants full Clipboard permissions to an external domain (“api.office123456[.]com”) to enable remote Clipboard-read and clipboard-write permissions
  • Children Protection (ID: giecgobdmgdamgffeoankaipjkdjbfep), which implements Functionality to harvest cookies, inject ads, and execute Arbitrary JavaScript by Contacting a remote server
  • DPS Websafe (ID: bjoddpbfndnpeohkmpbjfhcppkhgobcg), which changes the default search to one under their control to capture search terms entered by users and potentially route them to malicious websites
  • Stock Informer (ID: beifiidafjobphnbhbbgmgnndjolfcho), which is Susceptible to a years-old cross-site (XSS) vulnerability in the Stockdio Historical Chart WordPress plugin (CVE-2020-28707, CVSS score: 6.1) that could allow a remote attacker to execute JavaScript code

“While browser extensions can provide a wide range of handy tools to help us achieve more online, much care needs to be taken when choosing to install them, even when installing from trusted sources,” researchers Yuanjing Guo and Tommy Dong said.

Separately, researchers identified another network of 16 Malicious extensions—15 on the Chrome Web Store and one on the Microsoft Edge Add-ons marketplace—that intercept and steal ChatGPT Authentication Tokens by injecting content scripts into chatgpt[.]com. According to LayerX, users downloaded the extensions approximately 900 times.

Researchers attribute the extensions to a Coordinated campaign due to shared source code, icons, Branding, and descriptions:

  • ChatGPT folder, voice download, prompt manager, free tools – ChatGPT Mods (ID: lmiigijnefpkjcenfbinhdpafehaddag)
  • ChatGPT voice download, TTS download – ChatGPT Mods (ID: obdobankihdfckkbfnoglefmdgmblcld)
  • ChatGPT pin chat, bookmark – ChatGPT Mods (ID: kefnabicobeigajdngijnnjmljehknjl)
  • ChatGPT message navigator, history scroller – ChatGPT Mods (ID: ifjimhnbnbniiiaihphlclkpfikcdkab)
  • ChatGPT model switch, save advanced model uses – ChatGPT Mods (ID: pfgbcfaiglkcoclichlojeaklcfboieh)
  • ChatGPT export, Markdown, JSON, images – ChatGPT Mods (ID: hljdedgemmmkdalbnmnpoimdedckdkhm)
  • ChatGPT Timestamp Display – ChatGPT Mods (ID: afjenpabhpfodjpncbiiahbknnghabdc)
  • ChatGPT bulk delete, Chat manager – ChatGPT Mods (ID: gbcgjnbccjojicobfimcnfjddhpphaod)
  • ChatGPT search history, locate specific messages – ChatGPT Mods (ID: ipjgfhcjeckaibnohigmbcaonfcjepmb)
  • ChatGPT prompt optimization – ChatGPT Mods (ID: mmjmcfaejolfbenlplfoihnobnggljij)
  • Collapsed message – ChatGPT Mods (ID: lechagcebaneoafonkbfkljmbmaaoaec)
  • Multi-Profile Management & Switching – ChatGPT Mods (ID: nhnfaiiobkpbenbbiblmgncgokeknnno)
  • Search with ChatGPT – ChatGPT Mods (ID: hpcejjllhbalkcmdikecfngkepppoknd)
  • ChatGPT Token counter – ChatGPT Mods (ID: hfdpdgblphooommgcjdnnmhpglleaafj)
  • ChatGPT Prompt Manager, Folder, Library, Auto Send – ChatGPT Mods (ID: ioaeacncbhpmlkediaagefiegegknglc)
  • ChatGPT Mods – Folder Voice Download & More Free Tools (ID: jhohjhmbiakpgedidneeloaoloadlbdj)

AI Extensions Expand the Browser Attack Surface

As AI-related browser extensions increasingly enter enterprise Workflows, this campaign highlights a growing attack surface. Threat actors now exploit the trust associated with popular AI brands to trick users into Installing Malicious add-ons.

Because these tools often operate with Elevated browser privileges and access sensitive data, Attackers can gain Persistent access without Exploiting traditional Vulnerabilities or Triggering security alerts.

“Possession of such tokens provides account-level access equivalent to that of the user, including access to conversation history and metadata,” security researcher Natalie Zargarov said. “As a result, attackers can replicate the users’ access credentials to ChatGPT and impersonate them, allowing them to access all of the user’s ChatGPT conversations, data, or code.”

Stanley Malware Toolkit Lowers the Barrier for Extension Abuse

The findings also align with the Emergence of Stanley, a new Malware-as-a-service toolkit Advertised on a Russian Cybercrime forum for prices ranging from $2,000 to $6,000. The toolkit allows Attackers to generate Malicious Chrome extensions that serve Phishing pages through HTML iframes while Preserving legitimate URLs in the Browser’s address bar.

The service offers customers a Command-and-control panel to manage victims, Configure Redirects, and send fake browser Notifications. At the $6,000 tier, the seller Promises Guaranteed approval on the Chrome Web Store.

These extensions often Masquerade as Harmless Note-taking tools. However, when users Navigate to Attacker-selected websites—such as banking portals—the extension Activates a Full-screen Phishing iframe while keeping the URL bar Unchanged. This tactic creates a powerful visual Deception that can fool even Cautious users into Surrendering Credentials.

As of January 27, 2026, the service appears to have disappeared, likely following public disclosure, though it may Re-emerge under a different name.

“Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis researcher Daniel Kelley noted earlier this week. “BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint. Attackers have noticed. Malicious browser extensions are now a primary attack vector.”

 

Source: TheHackerNews

Read more at Impreza News

You might also like
CyberSecurity, Google, News
CyberSecurity, Google, News

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.