Linkedin Tag

Back to blog

How web extensions can hurt your site (INFIRC[.]com and INFIRD[.]com)

Friday, October 18th, 2024

Updated October 23rd, 2024
Carlo D'Agnolo's profile picture

Carlo D'Agnolo

Marketing & Growth

The domain infirc[.]com and infird[.]com have caused quite the stir recently, and highlighted the dangers of infected or malicious web extensions.

Infirc[.]com was first observed coming into our backend appearing as the referer header, even though it is not hosted or referenced by our site.

Our public domains directory indexed the domain right after, and our internal detection engine flagged it as potentially malicious.

undefined

Go to this page in our directory.

Infirc[.]com is a newly registered domain with no clear purpose or established reputation.

A few weeks after, we noticed a significant increase in search impressions and clicks on this page, indicating that people were researching this domain. This prompted us to dive deeper.

undefined

A malicious domain inside a web extension (plugin)

As per the source, it suggests that script was found on c/side, but we are not infected. The only other possibility is visits from a browser with a web extension that tries to inject code.

In some cases, extension IDs are leaked. In this case, we weren’t able to find one.

If someone's web extension is infected, or an attacker creates one, they can be used to attack websites. For example, you have an ecommerce website that allows visitors to create accounts and perform transactions. A visitor with an infected web extension buys a product. In that process, their PII and financial details are captured by the malicious 3rd party script inside the infected extension.

Alternatively, a malicious extension use bot-traffic to capture any kind of information it’s not supposed to access.

We noticed an influx of proxy requests originating from different IP addresses across the globe, including:

  • Czech Republic

  • China

  • London (via VPN)

  • Japan

The logs from September 17, 2024, show the earliest trace of infirc[.]com making requests to our backend. As time progressed, especially around October 13, 2024, we observed 145 proxy requests directed toward this domain in a single day.

Each request presented a distinct and different user agent, making it difficult to pinpoint a single source of activity. Likely bot-driven traffic or a coordinated attack through a range of user agents and VPNs.

On October 15th, we caught and indexed infird[.]com, which showed similarity.

undefined

Go to this page in our directory.

The malicious scripts loaded by the domains

Digging deeper revealed a complex network of scripts, extensions, and external domains. Both infirc[.com] and infird[.com] host the same script, as can be seen from both these pages:

  • https://infird[.]com/cdn/afde4f0c-4096-4aeb-b345-d1aea539851b

  • https://infirc[.]com/cdn/c7fa7451-6f95-4815-ac32-b8cc2537837a

Both scripts referenced AliExpress and another domain, rano[.]info. The latter could be an ingest domain used to collect, process, or receive data from external sources.

The analysis of the scripts revealed attempts to bypass common detection mechanisms. As highlighted by the technical review, both domains load external scripts from untrusted sources like:

  • zurano[.]info/zimblat?i=7OB7CVF5V7&atr=477978779
    The domain zurano[.]info was flagged as neither legitimate nor associated with any trusted services.

The script was also seen transmitting data to other external servers, including:

  • https://overbridgenet[.]com/jsv8/offer

  • Google Analytics via the Measurement Protocol: https://www.google-analytics[.]com/mp/collect

This behavior indicates that infirc[.]com is not only facilitating the loading of unauthorized scripts but also sending data to various external servers, possibly to track users or manipulate analytics.

Two functions, _0xfc929c() and _0x1238ee(), were identified in the code, suggesting that the script might be trying to:

  1. Redirect users to different URLs.

  2. Modify links or interactions on the page without user consent.

This type of behavior shows of a possible attempt to alter the browsing experience of users or to phish sensitive information by redirecting them to malicious sites.

The script includes specific checks to avoid running in particular environments, such as platforms like Google, Bing, and other social media networks, to avoid detection in high-profile, well-defended environments.

CSPs are widely used as a first layer of protection against client-side attacks, including these. Attackers know about them, and can easily circumvent it. We don't rely on CSPs and were able to detect it.

How to protect your site

Please check your code for any reference to these domains and remove them. However, this is almost certainly a malicious 3rd party script that’s trying to be injected from outside.

We can block these attempts. Though it’s important to mention that if the attackers know about c/side’s presence, they can also circumvent us. This is an attack coming from a visitors browser, not malicious 3rd party code already present on your own site. We are still able to detect and inform you of the attackers attempts, including sharing crucial information like IPs and time of the attempts.

Any 3rd party scripts present on your site that are compromised, we can detect and block before they execute in the browser of your visitors. Protecting them, and you, from malicious actors. 

By using c/side’s free tier, you are safe from this and other similar attacks.

Carlo D'Agnolo's profile picture

More About Carlo

I'm in charge of marketing & growth at c/side, educating companies and users on the web about the dangers of third-party scripts and the broader client-side security risks.