Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.
The victims this time were AdBlock by AdBlock Inc (easily confused with legitimate extension AdBlock by getadblock) and uBlock by Charlie Lee (similar-sounding to uBlock.org’s uBlock or Raymond Hill’s uBlock Origin).
The impersonation was made public in a blog by rival adblocker maker, AdGuard, whose Andrey Meshkov decided to take a closer look at the fake software’s behaviour.
The short and surprising answer – they block ads – perhaps not a huge ask given that both appear to have been based on the same code as the original AdBlock.
However, according to Meshkov, 55 hours after installation, they start doing something called ‘cookie stuffing’, a common ad fraud technique.
Normally, an eCommerce website will check cookies to work out how that user arrived at their site, paying a fee to the affiliate responsible when a purchase is made.
It’s a hidden cornerstone of the internet economy which criminals subvert by ‘dropping’ floods of cookies on to a computer to make it appear the user clicked on an affiliate ad when they didn’t.
Because only a small number of users will make a purchase from a site, the fraudsters need to sneak their cookie stuffing programs on to as many computers as possible. Writes Meshkov:
These two add-ons have more than 1.6 Million ‘weekly active users’, who were stuffed with cookies of over 300 websites from Alexa Top 10,000. It is difficult to estimate the damage, but I’d say that we are talking about millions of USD monthly.
Unchecked, it’s easy to see how this sort of scam could cost large brands a lot of money which explains why a handful of people accused of this scam in the US have ended up in jail.
If cookie stuffing has been going on forever, why does it keep happening?
Remember, this affects everyone – the users who end up with possibly dangerous software on their computers, the brands paying for bogus clicks, and the legitimate extension makers who have their brands hijacked.
It’s a problem that nobody seems to have the answer to, least of all Google, which is often caught flat-footed by fakes sitting in plain sight. Meshkov says Google ignored his reports until the story went public and the rogue extensions were finally taken down.
That brings to mind the weeks it took Google to take down a rogue version of AdBlock Plus in 2017, to pick just one example – this is certainly not a one-off.
Obviously, the buck should stop with Google on its own site but identifying legitimate software is often very difficult. For example, adblockers all tend to look the same, right down to their names, the colours and appearance of their branding.
Even the gold standard of judging an extension or app from the number of users wouldn’t have worked once the fakes themselves have been downloaded hundreds of thousands of times.
No matter how hard Google says it’s working to stop them, the most effective extension detectives are still researchers, security companies and the users themselves, acknowledged by Google when it recently expanded its Developer Data Protection Reward Program (DDPRP) and Google Play Security Reward Program (GPSRP).
As far as we can tell, these don’t reward the simple issue of calling out fakes when it’s not clear what they might be doing at a deeper level.
That’s a shame because finding malicious or fake programs is also about finding them quickly. Google should be edging towards a system that incentivises users to report suspect extensions, even if it means getting set up to handle a flood of false positives.