John @tuckner sent me on an interesting wild goose chase. He is investigating the Cyberhaven extension compromise, trying to find out more. And he found something that he considered another campaign compromising browser extensions, related to the sclpfybn[.]com domain: secureannex.com/blog/sclpfybn-

Edit: Just to make sure this is clear: so far there is little indication that these two campaigns are somehow related. Both being present in one extension was most likely a coincidence.

One of the extensions that used to contain the code in question was Visual Effects for Google Meet – which brought him to me because I recently covered that extension in my Karma Connection article: palant.info/2024/10/30/the-kar

I checked my data but couldn’t find sclpfybn[.]com domain mentioned in any extensions other than the ones @tuckner found already. I then looked for similar code and immediately found it in Urban VPN Proxy.

First thought: Urban VPN Proxy has the legitimate version of a library that was trojanized elsewhere. Taking a look at the communication of Urban VPN Proxy disproved that theory almost immediately – not only was it communicating in exactly the same way, but also to an unknown domain, namely ducunt[.]com. Yet the same endpoint existed on the official urban-vpn[.]com domain as well.

So not only did Urban VPN Proxy contain essentially the same code, it was likely added there by the developers themselves. Further investigation increased the suspicion that all these extensions haven’t been compromised, that this was rather some monetization SDK.

At which point @tuckner found the sales pitch for that SDK, detailing how it would add ad blocking functionality to the extension at the cost of exfiltrating very detailed browsing data (of course anonymized and aggregated before being sold to everyone asking for it, we know the drill). And explanations on how to make sure Google won’t object.

And that explains it all: before the Visual Effects for Google Meet developer sold their extension to Karma, they tried to monetize it with this “ad blocking library.” The sales pitch doesn’t mention who develops the library but everything points to Urban VPN.

According to Urban VPN privacy policy, they are selling the data they collect from their users via BIScience Ltd. Who are most likely the hidden owners of Urban Cyber Security Inc., a company registered to a virtual address in the USA.

Edit: Updated link to Tuckner’s blog post, he split it away from the original investigation.