Google, Manifest V3, and scammers gonna scam

Full article

With Google announcing that they're going to disable all extensions that don't upgrade to their Manifest V3 in just a few months (for blah blah, security something, and other reasons I don't care about but people smarter than me do.. and they're pissed), the environment is ripe right now for taking advantage of the situation. It'll probably get worse as the deadline approaches, but it's about as surprising as the world spinning one more time.

Let's face it, who isn't looking for any easy fix, even in the best of times? It's only natural to want a life with less hassle, which is why 11 lines of code broke the Internet, people spend billions on the lottery every year, and I swore I'd build a new roof over the playground in the spring but ended up using a tarp instead. At least it's a brown tarp, like nature intended.

When it's not the best of times though, when something happens that upsets the status quo and changes our plans for the week, we hope it'll just go away. Not that this google thing is on par with a financial crisis or unexpected lawsuit, but still.. it's a hassle and an easy fix would be welcome so everyone could get on with life!

Over the last week or so, I received a series of emails from the same source, one for each of my extensions in the Chrome store. Some poor grammar, but nothing in the email is wrong per se. My extensions are still using v2, conversion (convertion?) to version 3 is required, and all that other stuff they probably lifted from Google's site sounds accurate too. The one on the left is the first email I got; the one on the right is a later, more polished one.

All of the links lead to google subdomains like groups.google.com, developer.chrome.com, and blog.chromium.org, but there's obvious deception going on because the sending domain is 2x3.one and not google. The domain is registered with porkbun.com (why am I hungry now?), but of course everything interesting in the whois is redacted. Except the created date, which isn't terribly useful but shows the domain was registered a day before I got the first email.

The headers in the emails don't reveal much to my untrained eye.

The scammer appears to have used Mailgun for their spam campaign. The "spam" headers are interesting, and in this case seem to come from SpamAssassin. The levels in the first email I received, with images and more typos, received the highest score. The last 3 I received looked different, more polished. The first one had a lower spam score, but within a few minutes when I received the others, the score kept increasing. I wonder how high that score has to get for X-Spam-Status to say "Yes"?

--== Original email ==--

X-Spam-Flag: NO
X-Spam-Score: 4.423
X-Spam-Level: ****
X-Spam-Status: No, score=4.423 tagged_above=2 required=6
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM=1.498, HS_RSPAMD_8_9=2,
	HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001,
	MPART_ALT_DIFF_COUNT=1.112, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
	T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001]
	autolearn=no autolearn_force=no
X-Rspamd-Queue-Id: 33741A136A
X-Rspamd-Score: 9.20 / 15.00 / 15.00
X-MBO-SPAM-Probability: *******


--== Later emails ==--

X-Spam-Flag: NO
X-Spam-Score: 2.799
X-Spam-Level: **
X-Spam-Status: No, score=2.799 tagged_above=2 required=6
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM14=0.998, FROM_LOCAL_NOVOWEL=0.5,
	HS_RSPAMD_6_7=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
	URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
X-Rspamd-Score: 6.63 / 15.00 / 15.00
X-Rspamd-Queue-Id: 52DAFA143D
X-MBO-SPAM-Probability: *****


X-Spam-Flag: NO
X-Spam-Score: 4.3
X-Spam-Level: ****
X-Spam-Status: No, score=4.3 tagged_above=2 required=6 tests=[DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	FROM_FMBLA_NEWDOM14=0.998, FROM_LOCAL_NOVOWEL=0.5,
	HS_RSPAMD_10_11=2.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001,
	URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
X-MBO-SPAM-Probability: *******
X-Rspamd-Score: 10.22 / 15.00 / 15.00
X-Rspamd-Queue-Id: 1666BA0C0A


X-Spam-Flag: NO
X-Spam-Score: 4.299
X-Spam-Level: ****
X-Spam-Status: No, score=4.299 tagged_above=2 required=6
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM14=0.998, FROM_LOCAL_NOVOWEL=0.5,
	HS_RSPAMD_10_11=2.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
	URIBL_BLOCKED=0.001, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
X-MBO-SPAM-Probability: ********
X-Rspamd-Score: 10.63 / 15.00 / 15.00
X-Rspamd-Queue-Id: B3101A52E8

Side note, there's less than 200k browser extensions and Mailgun charges $80 for 100k emails, so the scammers could pull this off for about $150 usd. But the first and last emails look different, so they didn't spam everyone at once and might be taking advantage of Mailgun's free 5k emails/mo deal somehow. Doesn't matter I guess, but either way the financial risk if the scam fails seems minimal.

There were images in the early emails that, if loaded, would indicate that the recipient received the email, but those were removed in the later ones. The "from" address was changed to use the extension id of each addon, so it seems like they swapped one form of tracking out for another. Maybe an attempt to avoid spam blockers? The big "Convert" button is definitely a tracker, with a very specific link in the format of "https://<extension_id>.2x3.one/direct.php?id=<extension_id>"

That was all I could get without loading the site and delving a bit deeper, so... time to delve deeper! I didn't want to click the link in the email and acknowledge receiving it, so I went directly to the 2x3.one domain and got this lovely little page. Upload an extension and fake-google will convert it for us, just like that, no questions asked! Never mind there's no mention of this tool in their docs, including the ones the scammer linked to in the email.

Not too much in the page source code that's interesting, in the way of meta tags in the header, or a big comment at the bottom of the page with the scammer's contact information. Heh.

Clicking "Upload" without actually uploading anything presents both an error and a success message. Schrödinger's conversion service. It's like maybe someone didn't take the time to properly test this thing. Scammers these days.

The console is definitely your friend here, to watch it in action. On the network tab, it's doing a POST to the shady domain (where it's uploading whatever file you might've attached) and a GET from the same shady domain. And one more GET from google-analytics.com which, let's face it, is a shady domain too.

Over in the Elements tab, we can see the "Here" link is attached to a function named "downloadf()". The easiest way I know of to find out what that does is to just type it into the console (without the parentheses) and double-click on the code that prints out.

So, after uploading a zip file with the extension in it, the site does a magic transformation and then offers a zip file in return. The name ".zip" is weird, but then I didn't actually upload a file, and the scammer didn't test all the edge cases, so.. ".zip" it is I guess. This is kind of a dead end again, but it's pretty clear that we get our extension back, so they're doing something to it. Just not sure what yet. The wording under "Next step?" in the above screenshot makes it clear the scammer is hoping we'll just upload the updated extension back to the google store. No peeksies!

There's nowhere to go from here unless we actually upload a file, so let's do that. I could've uploaded my own, since they're all publicly available anyway, but it seemed more appropriate to upload a questionable addon to the questionable site. Finding such an addon is super easy, barely an inconvenience, and I found one called "Copy To Clipboard" in no time at all. It just adds an event that copies any text you select to your clipboard, and opens some website when you install or uninstall the addon. That'll do niiiicely.

Note: At this point I was in a VM that I can just wipe out of existence later. Although I'm pretty sure the point of all this is to add something to your extension and get you to upload it to the store without question, I don't trust the zip file coming back and I want to open it up and compare the contents to the original.

I uploaded the addon and got the nifty little "Click Here" link again, and this time it led to an actual file. Oddly, clicking the link inside the browser appeared to do a GET but nothing actually downloaded. Is there something wrong with the JavaScript snippet they're executing that I'm missing? Seems pretty straight-forward, but maybe it's something that used to be allowed but is deprecated now?

Determined to be scammed, I just entered the zip file URL into the address bar to download it. The first thing I noticed on opening it is that everything has been moved into a subdirectory named with "_delete" on the end. I'm not sure that would even be accepted by the store.

Let's assume it would be though. What else is going on inside there? It's fair to assume that whoever's doing this wouldn't want to actually alter the addon or they'd be more likely to get caught. Making the addon do something new though.. that might work.

Opening the old (left) and new (right) manifest.json files, there's a new snippet there at the bottom. A script called "angular.js" that's set to run on every single page the user visits, and since it's set as a content script it has access to read and modify the entire page it's running on.

There's other changes too, like combining several files into a single one. I'm not sure why it did that, but it didn't look like anything new was added there. It seems like the site is actually upgrading extensions to Manifest v3, but I can't verify that (mostly because I haven't bothered to learn about V3 yet). Besides, there's no way a tool can reliably upgrade every addon. They're just too complex and varied, which is why Google can't offer such a tool itself.

Back to that angular.js file. That sounds harmless enough right? Manifest V3 is a Google initiative, Angular is maintained by Google, and it's possible to use Angular to write addons. I mean, it makes absolutely no sense here, but I guess someone's hoping this slips through based on the name. A quick peek inside though, and yeeeah. All bets are off.

It's heavily obfuscated, making it pretty impossible to tell what it's supposed to do. It could be reading anything from the page and sending it off to wherever - maybe looking for fields with IDs like username and password, for instance. The whole thing is in a gist here.

Deobfuscator tools like this or this do a nice job of unwinding it, to a point. I see references to document and document.body that suggest it's reading something from the page, and a lot of regex stuff going on meaning it could be looking for specific patterns in the page. You can see the results of deobfuscation here, but I still can't tell what's doing. Can you?

The best way to see what it's doing might be to run it locally, and watch the network tab in the console to see what that shows. Still inside the VM, it's time to try loading it and visiting a page we don't care about it scanning, like cnn.com.

First I enabled debugging, and then tried to load the extension as-is, knowing the weird nested "_delete" folder would be problematic.

Yep. Okay, maybe zipping just the subdirectory will work instead.

Hm, still no good. Oh right, chromium-based browsers usually expect the folder containing the files to be zipped up, but Firefox expects the contents to be zipped without a folder. It's a minor difference, but they don't seem to work interchangeably. Third time's a charm.  

Or not. At this point, I give up. I mean, I'm actively trying to run the scammer's modified file and it just won't run, so I'm throwing in the towel. Thoughts?

In the meantime, I reported the domain and emails to both porkbun and Mailgun. I suppose the damage is already done with Mailgun, but if porkbun can shut the site down then that might limit the potential damage.

Author

Grant Winney

I write when I've got something to share - a personal project, a solution to a difficult problem, or just an idea. We learn by doing and sharing. We've all got something to contribute.


Comments / Reactions

One of the most enjoyable things about blogging is engaging with and learning from others. Leave a comment below with your questions, comments, or ideas. Let's start a conversation!