Excellent job, Google
on maintaining your security from Day 1. You should be proud of your team's work.
(If you couldn't recognize the /s, I'll put it in here now)
Google has removed more than 500 Chrome extensions in response to a report from a security researcher, who found the browser plugins distributed through the Chrome Web Store facilitated ad fraud and data theft. Using a free extension forensic analysis tool called CRXcavator, released last year by Cisco's Duo Security, …
heh, and with the end-users actually not seeing the ads, I wonder if google was making ANY money at all via the mal-vertising, skimming a bit off the top along with the scammers.
End user: "I sure am seeing a lot of XXX e-mail in my inbox. I wonder who thinks I actually need this stuff..." [but the ads were being "clicked on"] [meanwhile the advertisees were billed for a 'click'] [and where did that money go again? did Google get any?]
If the recipient telco's customer database wasn't leaked in the first place, the spammers wouldn't have any names and numbers to use as a dialling list.
Bu I agree there appears to be no incentive for the telcos to do anything. Perhaps an investigation and massive fine from the ICO would make them pay more attention... But short of bringing their call centres all back on-shore, not sure there are any other solutions. Meanwhile all existing records are loose anyway...
"which, if true, suggests Google's security scanning for extensions, at least up to this point, hasn't been particularly sophisticated."
So, pretty much like the worthless "Play Protect" on Android which turns a blind eye (more like both eyes) to pre-installed malware pushed on to the devices by manufacturers, data providers, world+dog.
https://privacyinternational.org/news-analysis/3330/senior-google-engineer-reveals-privacy-bombshell-androids-preinstalled-apps?PageSpeed=noscript
^^^^(Excellent work by Maddie Stone in the link above)^^^^
I wonder--it seems unlikely that Google lost money due to these. In fact, if they used Google ads at any point, Google probably got some as an indirect result. The ones who lost were the people advertising, and they could theoretically have a claim against Google for being negligent in the prevention of crime and possibly possession of money obtained unlawfully if it can be proven that Google failed to prevent the fraud in a timely manner. It would be nice to see this investigated. So that'll never happen.
Oh yes. DuckDuck every time.
Plus only log in with real details to any site when you need to, and then log out again. Better to use an anonymous account if you can. If you do use a real account (one that means they can get money off you if they steal the credentials) then don't save them in the browser.
Use Adblock Plus and No Script, and delete ALL your cookies on exit. Then make sure you exit the browser at least once per day.
None of the above guarantees security, but at least you can make it a little harder for the bar stewards to get anything useful off you.
"malicious extensions appear to have been designed to operate unobtrusively and generate ad revenue by redirecting the victim's browser to a series of host sites – almost all hosted on AWS..."
Based on my experience, AWS is a favorite hiding place of all manner of evil doers these days. Maybe it's a little too easy to get an account and Amazon is way too lax in policing their users.
Or, maybe that's just the way it is...we are all corporate sheep waiting our turn to be fleeced.
Well, the closest thing to that I can think of is the cookie vault in CCleaner - you can put the cookies you want to keep in the vault and when cleaning, it will leave those alone. But you have to close the browser to do the cleaning, I've noticed since I started using DuckDuckGo on Chrome, I have way fewer cookies to clean each time. DDG has granular control of what you want to block on each site and it remembers that. I think it is way better even, than NoScript!
As long as you have an ecosystem that bids for viewer eyeballs, and pays with real cash dollars for alleged views - whether real or fake - then there are going to be people who try and game the system; parasites if you will.
Because the majority of the internet, as far as I can see, is no more to do with what the user wants to see than as a vast charging system on that very viewer, due to the advertising product on everything he buys.
If that infrastructure were not in place, there would be no need for the advertisers' desperate attempts to track out every movement, our likes and dislikes, just so we can have the perfect advert stopped dead by uBlock or its friends.
Google already requires a credit card on file for extension developers. Why not track down the developer and prosecute them by the law!
And how do other extensions like uBlock Origins, PhartShield, NoScript fair in terms of privacy compared with these extensions?
The extension developers could be found guilty of fraud as they alleged true visitors when there weren't any. As for finding these developers, I'm guessing they used a prepaid credit card without a name on it. Either that or a stolen one (I'm not sure if they ever had to pay with it). Some criminals are dumb enough to use their own ID, but ones that set up a fraud operation using so many site copies probably go to the relatively minor effort of getting an anonymous one.