Chrome Fake Reviews: It’s Worse than We Thought
The problem of fake reviews in the Google Chrome extensions store is bigger than it seems. New analysis shows a web of malware with access to all your browsing, that can redirect you anywhere when you least expect it.
Last month, we talked about a “Microsoft Authenticator” extension that turned out to be nothing of the kind. In reality, it was a Trojan—designed to phish for passwords. It also turns out that Google doesn’t really do any checks before it publishes browser extensions.
Come on, Google, get a grip. In today’s SB Blogwatch, we lose trust in la GOOG.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A love letter to abandoned cities.
“Nooo, I’ve been phished.”
Let’s climb aboard the Brian Krebs cycle—“Using Fake Reviews to Find Dangerous Extensions”:
It pays to be judicious”
Fake, positive reviews have infiltrated nearly every corner of life online. [But] identifying and tracking these fake reviewer accounts is often the easiest way to spot scams.
…
After hearing … about a phony Microsoft Authenticator extension, [we] began looking at the profile of the account that created it. … the email address tied to the [publisher] also was responsible for one called “iArtbook.” … Looking at the Google accounts that left positive reviews on both … each left positive reviews on a handful of other extensions that have since been removed.
…
“It’s great!,” … Theresa Duncan enthused, improbably. “I’ve only had very occasional issues with it.”
“Very convenient and handing,” assessed Anna Jones, incomprehensibly.
…
Like an ever-expanding Venn diagram, a review … led to the discovery of even more phony reviewers and extensions. In total, [we] unearthed more than 100 positive reviews on a network of … 45 malicious extensions [from] 25 developer accounts tied to multiple banned applications.
…
The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. … A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available. … Most of these extensions were available for two to three months before being taken down.
Is this only a Google problem? John Gruber dares to deny:
It’s a mess”
Fraudulent reviews are a scourge. Apple’s App Store is riddled with them — I’m not sure I’ve seen a single story about a scammy app in the App Store that didn’t have a bunch of 5-star reviews. Amazon product pages are riddled with fake reviews too. There’s a huge cottage industry in paying for fake reviews in any online forum where reviews can come from anyone.
I don’t know what the answer is. Users think they like reading reviews from other users, but they have no idea how utterly untrustworthy unverified reviews are. There’d be outrage if Apple or Amazon simply pulled the plug on user-submitted reviews, or wiped the slate clean by nuking existing reviews and starting over with some sort of “verified reviewer” system.
But the status quo is a cesspool of scammy reviews that many users believe they can trust. It’s a mess.
What was “Anna Jones” trying to say? Here’s Vintermann:
Contemporary York Instances”
“Very convenient and handing” sounds like a synonym-spun sentence. Probably “handling” is in their list of synonyms for “stable” or “reliable” or something.
I remember they found out language models [that] produced plausible synonym spun garbage when prompted with it, such as referring to Contemporary York Instances (which is what you get when you synonym-spin “New York Times”).
It’s not just Google asleep at the switch. sneak is no fan of FAANG:
Very bad at being proactive”
Any of Google’s thousands of staff could have done this trivial research, too, but apparently it’s no one’s job over there: Just like detecting the hijacked verified Twitter accounts that reply to almost all Elon tweets with cryptocurrency scam links that any non-Twitter person can find in 100 seconds, or the antivax hashtag spammers on Instagram, etc.
These companies are very bad at being proactive in enforcing their published policies.
So what should they do? gurps_npc suggests how this could be automated:
Do not kick them”
All review companies should automatically:
1) Look for positive reviews of fraudulent products.
2) Flag and check/disable any other product that got good reviews from those reviewers.
3) Flag other people that gave positive reviews for those new products, and repeat.
4) Keep all those ‘reviewers’ active. Do not kick them at all.
Throw in a human to double check any complaints from valid products.
And what can we do to protect ourselves? Here’s one approach, from facorreia:
Shady hacker”
I treat each and every Chrome extension as potentially malware, given that there are plenty of instances of legit extensions being sold and repurposed, and Chrome will silently install malware on my machine because of its auto-update-without-asking-or-verifying policy. I only trust a few, select extensions from large companies that hopefully won’t sell them to a shady hacker.
Here’s another, courtesy of radley13:
I couldn’t care less”
One trick is simple: Ignore the positive reviews. They may be bought, they may be from fanboys, whatever. They are rarely informative.
Read the negative reviews. Find out what people don’t like about a product. If the things they don’t like are something you care about, then it’s not for you. If they’re complaining about stuff that doesn’t matter to you, then go for it. Some examples:
- A hotel review that complains the hotel is too far from the city nightlife? That’s a hotel I want: nice and quiet.
- A keyboard review complains that it doesn’t have programmable light patterns. I couldn’t care less — if that’s the only problem, I may buy it.
- A computer review complains that the fans are noisy. That would matter to me, so no thanks.
Can anyone learn from the analysis of this web of fake reviews? nerdponx sounds slightly cynical:
Really interesting technique”
Coming soon: Consulting firm uses this technique to build a training set of fraudulent reviews, builds review fraud detector that … discriminates against elderly people and non-Western reviewers.
In all seriousness, this is a really interesting technique. Maybe there are analogues for other fake/bot behavior in other contexts.
Meanwhile, Mononymous parodies parroting fake friends:
Seven thumbs up!”
it very good help me with a internet.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Usman Yousaf (via Unsplash)
