Fraudulent MinerBlock Chrome Extension Plays Videos in Background of Users’ Device

Security researcher Bryan Campbell identified a fraudulent version of the legitimate MinerBlock Chrome extension, which blocks sites that utilize in-browser cryptocurrency-mining. The fraudulent version plays videos in the background without the user’s permission as opposed to the legitimate version which plays no videos. There are distinct differences between each extension’s Chrome Web Store page, with the legitimate version’s developer listed as CryptoMineDev and the malicious version’s developer listed as egopastor2016. The malicious version’s page also contains Russian text. While the logos are also different, the extensions themselves look very similar and have the same options interface. When the malicious version of the extension starts, it connects to the site egopastor[.]biz and retrieves a set of tasks that determine what options the extension will use and the URLs it should visit. The extension then connects to a URL that causes videos from Russian video sites to repeatedly play in the background. The videos are likely used for click-fraud through the display of advertisements, artificially increasing views. When the videos are playing, CPU utilization greatly increases. The NJCCIC recommends those who installed the fraudulent MinerBlock Chrome extension remove it immediately. We also recommend exercising caution when installing browser extensions and suggest reading reviews to help identify whether or not the extension is legitimate. Users should closely monitor system CPU usage for spikes in activity after installation.