An imitation "Extension for Evernote" that rolls out spam advertisements on a web page will be on sale


Provide free security softwareMalwarebytesResearchers found an imitation "Extension for Evernote" and download it as a free online scan service for viruses, malware, URLVirusTotalWhen I scanned it with a suspicious program (PUP) It turned out that it was.

Fake Evernote Extension Serves Advertisements | Malwarebytes Unpacked

Fake Evernote extension is spamming Chrome users, warns Malwarebytes - The Inquirer

The name of Evernote's official extension is "Evernote Web", but there seems to be a fake extension with exactly the same name as this. This fake "Evernote Web", if you run some PUP, Google Chrome ·Torch Browser·Comodo Dragon Internet BrowserIt quietly slips into the setting screen of the.

And when you open "Extension" on the setting screen, "Evernote Web" which you do not remember installing is displayed.

However, the real "Evernote Web" is not displayed in the setting screen, it is only displayed in the application list.

If you click "Visit website" on the setting screen as "Why did you install such an extended function?", It will be skipped to the page on the real Evernote Web's Chrome Web Store. And Chrome misunderstands that the real extension is installed and displays the "LAUNCH APP" button at the upper right of the screen, and clicking this button installs the fake extension. At this time nothing happens on the PC screen, but if you start the real "Evernote Web", a new tab opens and the Evernote login screen will be displayed.

For the digital signature of the fake extension, it is written as "Open Source Developer, Sergei Ivanovich Drozdov", which seems to be reliable at first sight, but details Looking at it, it seems that the certificate has already been invalidated by the issuer. Malwarebytes commented, "This fake showed that it is not necessarily a reliable program just because there is a digital signature."

If you installed a fake extension as an extension of Google Chrome on a PC with Windows 7, three unidentified JavaScript files and one HTML file are displayed in the folder like this .

The script included in the fake extension will get the page information the user is watching via the configuration file (manifest.json) and display advertisements accordingly.

For example, on the online shopping siteNewegg.comThis advertisement will be displayed when you are watching. The feeling you see is just a pop-up advertisement, as if the website is displaying it. However, actually the fake extensions are displaying this advertisement.

Pop-up advertisement is like this.

John Deere's siteWhen looking at,Nico Nico Video Flash Player AdvertisementAs a malicious advertisement disguised as software update display is displayed as well, so care must be taken enough.

These were reported to Nikoniko Info on August 14 "Please pay attention to malware pretending to system update notificationAlthough it is very similar to the behavior of "Evernote Web", it is easy to delete the fakes "Evernote Web" by the same procedure as the usual extension method.

in Note, Posted by logu_ii