Application Security

Browser Extensions and Malware: Q&A

PerimeterX Podcast Episode 5: Browser Extensions and Malware

In recent years, browser extensions and their risks have quietly become more prominent to both consumers and businesses. PerimeterX cybersecurity evangelist Reesha Dedhia sat down with us to discuss the evolution of these attacks and vectors on the PerimeterX Podcast. Listen to the full episode here.

In your role, you deal with a lot of challenges in the e-commerce and digital markets. What are the most prominent ones you’re seeing right now?

Reesha: I want to talk about a challenge that most of the market is still completely unaware of. As a digital or e-commerce leader, you’re investing a lot of time, budget and resources to create strategic marketing and website plans—with a goal of providing a positive online user experience, increasing business revenue and building your company’s brand reputation. To ensure these goals are being met, you continuously look at site data including metrics like click-through rates, time on site, unique visitor counts, bounce rates and conversion rates. It's really an ongoing and active cycle of measuring, analyzing, optimizing and testing.

But what if you’re looking at your data and you find yourself with a high amount of bounce rates, cart abandonment rates and conversion loss rates that you just can’t explain?

To find answers to these questions, you might check to make sure page load speeds are as planned, the site messaging and content is being well received and the products being sold are relevant and performing well. Some ways to find the not-so-obvious answers to these questions could be to conduct customer interviews or surveys, read customer feedback and testimonials, or talk directly to customers.

But what if you do all this and you’re still finding yourself with unexplained high bounce rates, cart abandonment rates and conversion loss rates?

Your site could be experiencing this negative impact due to a problem completely hidden to you: malicious distractions from browser malware and extensions. Browser malware and extensions inject unwanted coupons, promotions, and ads and while these appear as if they are coming from your site, they in fact are not. When users visit your website, they’re seeing this in the form of pop-ups and ads, often obscuring existing content, promotions, ads, or call to action (CTA) buttons like your “Add to cart" or checkout buttons. These pop-ups and ads redirect shoppers to competitors, they’re displaying unwanted ads and content, and they can also fraudulently tag user traffic to collect affiliate and referral fees. In fact, up to 20% of users that visit a site experience these distractions that come from browser extensions and malware.

It sounds like there are many types of browser extensions and malware out there. Can you give us some examples?

Reesha: Exactly, there are lots of different types. I’ll first talk about coupon extensions. Coupon companies have made billions of dollars by turning digital coupon-clipping into an industry. If you take a look at the industry recently, you’ll see that Rakuten bought eBates for $1B in 2014. Paypal bought Honey for $4B in 2019. What we are seeing is that coupon companies are a big business and only getting bigger. E-commerce companies partner with these coupon companies to provide coupons to users to bring them to their site, which helps increase their conversion rates. But in the end, these coupon providers are focused on monetization, this means they are not only partnering with you, they are also working with your competitors—which brings me to our next type of extension.

Price comparisons are the same extensions that offer your coupon to a visitor on your site, and are also offering price comparisons to similar products from competitors. They take away your users to different sites which leads to conversion loss for your business.

Another type is unsavory, unauthorized and unwanted ads. Many extensions or malware inject unauthorized, unsavory and unwanted advertisements and content that is displayed on your site. This can damage your brand reputation. They block links and buttons that the visitor is trying to use to add an item to a shopping cart or complete a purchase.

Then we have fraudulent affiliate fees. In a normal online advertising world, you spend money on a search campaign and buy ads to drive traffic to your e-commerce site to buy a product. Your customer acquisition cost is relatively easy to calculate and therefore, you can calculate your return on investment on the campaign, average revenue per user and lifetime revenue. Now imagine that the same customer that you spent money on to acquire to click over to your site suddenly has their referral code switched due to an extension on their browser. You are now paying an affiliate fee for the same customers’ purchases on your website. It costs a lot of money to receive their click. How do you calculate the ROI on those users? In the end, you’re unknowingly paying twice for that user.

Lastly, browser malware: malware of all types poses serious threats to both privacy and security. There are thousands of extensions out there. Some are malicious and bring malware with them. These extensions steal usernames, passwords and personal data. As a website owner, you have no idea what your visitors are bringing with them when they visit your site. Even worse, these malicious extensions are sometimes installed as part of free anti-malware software.

How big of an impact can these different types of extensions have on an ecommerce business?

Reesha: Browser malware and extensions negatively impact your user’s experience and your digital business. First, they frustrate the visitor because the site doesn’t work as expected. The numerous pop-ups and ads disrupt the user experience, making it difficult to view content and browse the site. And, they follow a user throughout the site as they browse. If the user clicks on one of these pop-ups, it could redirect them to a competitor or third-party site, causing disorientation and distrust of your site and brand. Even if the user attempts to ignore the distractions and get to the checkout page, they could be redirected to a different site even then, right before order confirmation. This leads to cart abandonment and conversion loss. In fact, the typical cart abandonment rate for online retailers is around 80%. Digital leaders and CROs work hard on your digital marketing plan to provide a positive customer experience, one that results in revenue to your company. Browser malware distracts your potential customers and disrupts their path to purchase. This hurts your brand reputation and leads to revenue loss.

What are companies doing today to help solve this?

Reesha: Since most digital leaders are unaware of the severity of the browser extension and malware problem, they are therefore not taking action and losing customers as a result. Because distractions from browser extensions and ad injections are carried by the end user, the site owner never sees them. In fact, most digital businesses are completely unaware of the problem and how to solve it.

Some digital businesses attempt to solve this by using manual and costly Content Security Policies (CSPs) which aim to defend against unauthorized content injections. CSPs are written by web developers and security teams to define permissions for page assets and access controls to network resources. But CSPs are not a scalable solution. They are a moving target and require manual monitoring and updating on an ongoing basis. Web developers and security resources can’t keep up with these.

Other digital leaders attempt to build a solution in-house to address the problem. But new extensions are appearing by the day and the existing ones are continuously evolving. Detecting and analyzing ever-changing browser extensions requires ongoing maintenance and expertise. Again, this eats up IT resources and can be a very costly and time-consuming approach.

Totally understandable—we’ve discussed previously on the podcast that in-house attempts to mitigate threats don’t always consider the application-level challenges in terms of security, often because they’re focused on the experience in other areas. So it seems like that applies here as well. What would a modern browser malware solution for this look like?

Reesha: A solution like this needs to be continuously learning. Browser extensions and malware are ever-evolving. It is essential to have a solution that is able to continuously learn about new browser-related malware and provide detection alerts based on constantly updated intelligence.

It also needs to have customizable actions for extensions. Not all extensions are bad for your site. The solution should be able to monitor all distractions and give you the ability to block some extensions and allow others, based on your customized business needs.

Scalability without loss of performance is also crucial. When implementing any protection solution, your website application should not suffer negative consequences. Users are easily distracted and will leave your site if they think performance is slow. A solution with little to no impact on website and application performance is a top requirement.

Lastly, out-of-the-box integrations with key platforms and web analytics tools are important. The solution you choose should come with the ability to share data with other applications that rely heavily upon the data.

What are the benefits you’ve seen of using these types of solutions to secure digital businesses?

Reesha: There’s nothing more frustrating than spending so much time, budget, and resources only to have visitors leave minutes after they get to your site, before getting to the conversion path you laid out. By getting visibility into the distractions on your site, you’ll set yourself up for success.

You can preserve the intended user and brand experience by blocking malicious distractions, which protects your digital journeys and your revenue. Eliminating distractions means you prevent your website visitors from getting redirected to competitors, hide unauthorized content from being shown on your site and reduce fraudulent affiliate fees. You take back control of your users’ experience, protect your brand reputation and keep users on the path to purchase.

Can you give an example of a use case as to how a retailer might use one of these solutions?

Reesha: A leading e-commerce retailer in the home improvement and home goods industry was experiencing lower conversion rates and revenue loss due to coupon extensions. Using a solution, they were able to find this out and realized most of this was coming from Rakuten and Amazon Assistant extensions. These coupon extensions were showing price comparisons and cashback offers from competitors on their site. They were basically telling their website visitors to go shop somewhere else.

Using a modern solution to tackle this, the company was given full visibility into the interruptions that users were experiencing on its site. They were able to perform A/B testing and see the data and metrics for two user groups: those exposed to extensions and those that weren’t.

What the retailer found was that by blocking all extensions, it was able to uplift its conversion rate by 6% for users with extensions which amounted to hundreds of thousands of dollars in net new revenue a month. It also uncovered insights into key marketing metrics important to them for both groups—those with and without extensions—including pages viewed per session, bounce rate and time to purchase. The team was able to gather valuable insights from the analytics for both groups and create segmented marketing campaigns.

Can you give some parting words for any digital businesses that might still be on the fence about solutions like this?

Reesha: Digital competition is certainly on the rise. Online spend in 2018 was almost $3B. It grew by almost $500M more in 2019. And all indicators are showing that it is going to continue to grow and continue to be a dominant part of our economy going forward. Particularly, in this situation with COVID 19, we have seen that increased trend of online shopping. Companies like Amazon have changed the playing field of what is expected from an online or e-commerce experience. Consumers’ expectations are higher than ever, and they expect a seamless experience and want to work with brands they trust. With almost all shopping currently being done online, and so many brands and sites selling similar products, it’s more important than ever to ensure that you are doing everything you possibly can to deliver the best online experience for your shoppers.

For more information on protecting against browser-based threats, visit the PerimeterX Page Defender page.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.