Spyware in browser extensions — it’s worse than you think

Published Aug 19, 2018. 11 minutes to read.
Tagged with Security.

Just recently, Andrey Meshkov from AdGuard on article “Big Star Labs” spyware campaign affects over 11,000,000 people demonstrated how malicious user extensions can and in fact, do gain access to personal browsing history of unsuspecting users, potentially leaking this information to third parties.

Thanks to accidental discovery I made today, it seems that might very well be true.

TLDR;

Big Star Labs LP, the company behind countless spyware applications gathering user browsing history data is sharing at least part of it it with at least one outside player — Amobee, Inc., with brand Kontera in their portfolio.

Background

This Saturday I finally gathered some time to roll out a new, shiny build server for my personal open source projects. I decided to test the installation with a private GitHub repo, just to see how’s and what’s behind the CI app I decided to use, and to do so, I decided to initially forego my usual security measures, namely, putting a firewall in front of the CI server. This off by chance decision was imperative to what I discovered next.

What’s in the log

Come Sunday morning, satisfied with my CI setup, I decided to check the access log, as the HTTP server was still open at that point, to make sure nothing odd has happened since I started the service.

This is the excerpt log line that caught my attention:

- - [18/Aug/2018:17:52:25 +0200] "GET HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko)Version/8.0 Safari/600.1.25"

A completely regular request, you might think at first. Couple of problems, however:

  1. That is not my IP address. That’s Amazon S3 network block.
  2. That GET request goes against URL address that is only accessible to authenticated users. And there is only one person who has the credentials — me.
  3. The URL in question is not listed outside of user area.

At this point, some things to be clarified— how did this visitor get the URL address, considering the chance of someone randomly guessing it is zero, and who are they, and why are they accessing this URL.

To answer the first question: quick NSLOOKUP later and we have answered the “who” part:

> nslookup 
 8.8.8.8
Server:       8.8.8.8
Address:   8.8.8.8#53
Non-authoritative answer:
63.60.209.54.in-addr.arpa  name = nat.aws.

The IP address is from Amazon, but the reverse points to **Kontera Technologies, Inc. — an acquisition of Amobee, Inc.**

Now the tricky part — how could they possibly get their hands on this URL? So I set off to eliminate all the usual suspects (server compromised, my machine compromised, CI software compromised), all till I noticed something very odd while monitoring the logs and browsing the CI — more requests popping in!

This lead me to believe that it was either my machine, my browser itself, or one of the browser extensions I had installed has been compromised. I would assume anything between me and the server machine would be unlikely to blame, as the server is configured to use HTTPS by default and from before the CI was installed. Given the likelihood of having a malicious browser extension, I set out to disable all the extensions, re-enabling one by one till net-internals of Chrome started to show interesting things.

81764   SOCKET https://api2.poperblocker.com/
82335  URL_REQUEST    https://api2.poperblocker.com/view/update
82336  HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82337  HTTP_STREAM_JOB    https://api2.poperblocker.com/
82343  DISK_CACHE_ENTRY   
82344  URL_REQUEST    https://api2.poperblocker.com/view/update
82345  HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82346  HTTP_STREAM_JOB    https://api2.poperblocker.com/
82352  DISK_CACHE_ENTRY   
82400  URL_REQUEST    https://api2.poperblocker.com/view/update
82401  HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82402  HTTP_STREAM_JOB    https://api2.poperblocker.com/
82403  DISK_CACHE_ENTRY   
82463  QUIC_SESSION   www.google.es
82600  URL_REQUEST    https://api2.poperblocker.com/view/update
82601  HTTP_STREAM_JOB_CONTROLLER https://api2.poperblocker.com/view/update
82602  HTTP_STREAM_JOB    https://api2.poperblocker.com/
82603  SSL_CONNECT_JOB    ssl/api2.poperblocker.com:443
82604  TRANSPORT_CONNECT_JOB  ssl/api2.poperblocker.com:443
82605  HOST_RESOLVER_IMPL_JOB api2.poperblocker.com
82606  SOCKET ssl/api2.poperblocker.com:443

Whenever I would pop a page open, Poper Blocker extension would encoded payloads to it’s own domain. Well, at least they are using HTTPs’…

All requests I logged are going to the same domain from the same extension, all within seconds to minutes before a new log line would appear on the CI server access logs to inform that the server has been hit yet again from a crawler that should not ever possibly be where it is.

At this point I went to google around about this and this is how I stumbled upon this excellent piece by Andrey Meshkov — “Big Star Labs” spyware campaign affects over 11,000,000 people. It also contains all the payloads and extra techy bits about how the extension spyware operates.

The honeypot

To prove undoubtedly what I suspected, and what Andrey Meshkov wrote about in his article — was indeed what was happening, I hatched a small test — fake private URL with injected A element that would trigger the poperblocker’s reporting script, in a fresh browser instance with no other extensions.

A little while later, et voila:

54.86.66.252 - - [19/Aug/2018:20:37:26 +0200] "GET /clearly-this-is-a-honeypot-for-big-star-labs/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"

The IP addresses I managed to collect during the duration of this ordeal all resolve to *.kontera.com:

54.209.60.63 nat.aws.kontera.com.
54.175.74.27 nat-service3.aws.kontera.com.
52.71.155.178 nat-service.aws.kontera.com.
54.86.66.252 nat-service4.aws.kontera.com.
184.72.115.35 nat-service1.aws.kontera.com.

A somewhat smoking gun

Domain name poperblocker.com is owned by Big Star Labs LP. At the time of this writing, this domain has a sub domain —webmail.poperblocker.com pointing to 31.168.232.169 — IP assigned to Bezeq International Ltd, a Isreal based telecommunications company. That is somewhat odd, considering Big Star Labs LP is Delaware registered entity.

What is odder still, Kontera Technologies, Inc, acquired by **Amobee, Inc. **was based in Israel.

Then there is this interesting article dated back in 2012 — (in Hebrew) https://www.haaretz.co.il/captain/software/1.1794725, confirming the extension Poper Blocker was indeed made by a Israeli developer.

From Poper Blockers own policy, quotting…

We may share your Non-Personal information with our parent company…

I will leave it up to you, dear reader, to speculate about probability of this all being just a coincidence.

The conclusion

Amobee, Inc. and **Big Star Labs LP **are definitely somehow affiliated. One might be using others services, Big Star Labs LP could be sharing data with Amobee — but most likely, Big Star Labs LP could be a subsidiary of Amobee. Given the delay in how quickly requests from the spyware extension published by Big Star Labs results in crawl request from Amobee, it would not be unreasonable to conclude both are very closely affiliated.

Whatever the relationship is, user data is clearly shared between the two, and in this case, the “why” does not even matter anymore.

Tech stuff

poperblocker.com dig’s

> dig @8.8.8.8 poperblocker.com any
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 poperblocker.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37971
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;poperblocker.com.    IN ANY
;; ANSWER SECTION:
poperblocker.com.  59 IN A  52.87.93.204
poperblocker.com.  59 IN A  34.204.22.236
poperblocker.com.  21599  IN NS ns-1413.awsdns-48.org.
poperblocker.com.  21599  IN NS ns-1645.awsdns-13.co.uk.
poperblocker.com.  21599  IN NS ns-726.awsdns-26.net.
poperblocker.com.  21599  IN NS ns-93.awsdns-11.com.
poperblocker.com.  899    IN SOA    ns-93.awsdns-11.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
poperblocker.com.  3599   IN MX 10 webmail.poperblocker.com.
poperblocker.com.  299    IN TXT    "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDtnCfO3ESvRhMohdNr5Pjz9SOIT9UyXUdMGxJftJn0c83wIdHq0j53Ma8UC+tKUrlqxt5dwwKBqKmFCsu5+aO47O225o4vBR9ujfrNQbuxvOCyQXiOs5xxzGmeS3JIwQ0OCyzXczrrwiMrG24DLPEsbvU1OwdVHzhP1lGezU59UQIDAQAB"
;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 19 21:50:06 CEST 2018
;; MSG SIZE  rcvd: 529
> dig @8.8.8.8 webmail.poperblocker.com any
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 webmail.poperblocker.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35125
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;webmail.poperblocker.com. IN ANY
;; ANSWER SECTION:
webmail.poperblocker.com. 299  IN A  31.168.232.169
;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 19 21:50:27 CEST 2018
;; MSG SIZE  rcvd: 69
> whois -G 31.168.232.169 | grep 'org-name'
org-name:       Bezeq International-Ltd

Crawler reverse lookups

nslookup 54.209.60.63 8.8.8.8
nslookup 54.175.74.27 8.8.8.8
nslookup 52.71.155.178 8.8.8.8
nslookup 54.86.66.252 8.8.8.8
nslookup 184.72.115.35 8.8.8.8
63.60.209.54.in-addr.arpa  name = nat.aws.kontera.com.
27.74.175.54.in-addr.arpa  name = nat-service3.aws.kontera.com.
178.155.71.52.in-addr.arpa name = nat-service.aws.kontera.com.
252.66.86.54.in-addr.arpa  name = nat-service4.aws.kontera.com.
35.115.72.184.in-addr.arpa name = nat-service1.aws.kontera.com.

Access log

54.209.60.63 - - [18/Aug/2018:16:02:50 +0200] "GET /robots.txt HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:16:02:50 +0200] "GET /account/repos HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/1 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/1/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:25 +0200] "GET /Addvilz/drone-docker-demo/settings/registry HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:27 +0200] "GET /Addvilz/drone-docker-demo/settings/secrets HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:17:52:32 +0200] "GET /Addvilz/drone-docker-demo/1/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:17:52:33 +0200] "GET /Addvilz/drone-docker-demo/settings HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:30 +0200] "GET /Addvilz/drone-docker-demo/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:18:01:30 +0200] "GET /Addvilz/drone-docker-demo/2/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:34 +0200] "GET /Addvilz/drone-docker-demo/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:34 +0200] "GET /Addvilz/drone-docker-demo/3/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:36 +0200] "GET /Addvilz/drone-docker-demo/4 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:01:36 +0200] "GET /Addvilz/drone-docker-demo/4/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:39 +0200] "GET /Addvilz/drone-docker-demo/5/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:01:40 +0200] "GET /Addvilz/drone-docker-demo/5 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:11:06 +0200] "GET /Addvilz/drone-docker-demo/5/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:11:12 +0200] "GET /Addvilz/drone-docker-demo/6/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:11:12 +0200] "GET /Addvilz/drone-docker-demo/6 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [18/Aug/2018:18:22:10 +0200] "GET /Addvilz/drone-docker-demo/6/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:31:18 +0200] "GET /Addvilz/drone-docker-demo/7 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [18/Aug/2018:18:31:18 +0200] "GET /Addvilz/drone-docker-demo/7/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [18/Aug/2018:18:31:19 +0200] "GET /Addvilz/drone-docker-demo/8 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:13:02:13 +0200] "GET /Addvilz/drone-docker-demo/8/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
184.72.115.35 - - [19/Aug/2018:18:26:58 +0200] "GET /Addvilz/drone-docker-demo HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.209.60.63 - - [19/Aug/2018:18:36:52 +0200] "GET /robots.txt HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:06:20 +0200] "GET /Addvilz/drone-docker-demo/9 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:06:21 +0200] "GET /Addvilz/drone-docker-demo/9/3 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:16:21 +0200] "GET /Addvilz/drone-docker-demo/9/2 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:27:25 +0200] "GET /Addvilz/drone-docker-demo/10 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
52.71.155.178 - - [19/Aug/2018:19:37:03 +0200] "GET /Addvilz/drone-docker-demo/11 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:19:47:00 +0200] "GET /Addvilz/drone-docker-demo/11/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.175.74.27 - - [19/Aug/2018:19:57:18 +0200] "GET /Addvilz/drone-docker-demo/12 HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
54.86.66.252 - - [19/Aug/2018:20:37:26 +0200] "GET /clearly-this-is-a-honeypot-for-big-star-labs/ HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"
© Matiss Treinis 2019, all rights, some wrongs and most of the lefts reserved.
Unless explicitly stated otherwise, this article is licensed under a Creative Commons Attribution 4.0 International License.
All software code samples available in this page as part of the article content (code snippets and similar) are licensed under the terms and conditions of Apache License, version 2.0.