WARNING ADFIVER IS STEALING YOUR DATA

Admin hat den Beitrag am 2016/01/17 um 21:47 bearbeitet
UPDATE: The scammers from adfiver (and previous scams) registered a new domain today (the 17th of January) to attempt to distribute their fake "PTC investigations" site with the false information already uncovered in this topic.

They're pissed right now that their site has no money left to pay users and that everyone know their extension was actually created to steal passwords.

Kids will be kids.

Note: A few minutes after I posted this they started redirecting traffic from their fake "rotate4alls" to the original "rotate4all" site (which has nothing to do with them).

Now the real owner of "rotate4all" got the fake site to redirect to this lovely thread. That's what Karma is all about.

__________________________________________________


If you’re using an extension from a site called "AdFiver" REMOVE it IMMEDIATELY and change your password(s) NOW.

That extension is basically stealing your NeoBux login information (and probably other sites as well).

That was the short version so here’s the documented one:

First let’s take a look at the manifest (the basic configuration file for an extension):


In the manifest file you can see that they have asked for permissions to all websites, even secure ones, when they are actually not using them inside the extension for their own website.

In addition, they are loading javascript (executing their own code) in every single website, not only in AdFiver but in all websites that you visit. Let's take a closer look at the script they are injecting:

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Uhm... that's weird. It's the only script fully obfuscated that they have in their extension. Being like this it's hard to read, although we can already see some malicious code with the eval and all those "atob". Let's see how it ends after cleaning it a little bit:

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Let's focus in the first block of the code, which sends an empty message to the extension and executes (evaluates) the response. What code will it be executing? Let's find out...

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Here we can see two blocks of code. The first one is used to retrieve the code that will be executed in the step explained above. That code is retrieved directly from AdFiver every 24 hours. Right now, the retrieved code is what can be seen in the followed image.

While, the second block of code sends information to AdFiver together with the URL of the website we are visiting... That's weird... We will come to this later!

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


This is the code that AdFiver is executing in every website we visit and that they can modify whenever they want:

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Let's make it readable by executing the atob(atob(atob... line of code that we found in image 3:
atob(atob(atob(atob(atob('responseCodeGoesHere').substr(1)).substr(1)).substr(1)).substr(1)).substr(1)

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Once again... more obfuscated code so let's make it cleaner:

Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


That's better. Here you can see that there is a block of code being executed if the website we are visiting matches the following format:

window.location.href.match(new RegExp(atob(atob("WG1oMGRIQnpQenBjTDF3dktGdGVYQzlkS2k1OEtXNWxiMkoxZUZ3dVkyOXRYQzl0WEM5cw"))))

Which making it readable ends up being:



That's NeoBux login page!

So that script is basically sending NeoBux login information when we try to login to AdFiver's extension which sends it back to their server 60 seconds after you login. Yes, they are trying to steal your login details and succeeded to all that installed the extension (giving it full permissions to do whatever it wants).

The worst thing is that they are doing this for all website so they can actually steal your login details in as many websites they want by changing the code that they are returning to be executed.

We’ve already blocked it in our end and if they change it we’ll block it again.
Thankfully they have just less than 3k users using it but, if you are one, do CHANGE your password(s) right now and stop using that malware.

Remember that when anyone pays you (they won’t but say they would) for using such a thing as an extension it’s the first sign something’s not right.

If you need more info about the scammers behind this you can find it in this topic.
_____________________________________________________________

Update:
A forum moderator even posted this in their forum:
Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


Which obviously was censored and the moderator was invited to "take a read":
Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


So now Gustavo is most likely telling lies to the mods to help them keep the sinking ship a few more days. Since they have no more money left and have been paying tiny amounts per day it shouldn't take long so the moderator's backup in keeping the fraud afloat is crucial at this point.

After being caught redhanded and without any other alternative the code has been silently changed to this:
Dieses Bild wurde in der Größe angepasst. Klicken Sie diesen Balken, um das Bild in voller Größe zu sehen.


While currently it doesn't affect us you know now what to really expect from them: Using that is a backdoor to getting passwords stolen from those that use that fake extension.

Also only someone with a child's mentality would change the class name from "gpt" to "hahahaha" when being caught. Proves a point though.

more information in neobux forum