Some Chrome Extension Redirects me to Malicious Sites When Amazon.com is Accessed

I'm getting redirected to ezshoplist.me and alecyueee.us, when I try to access amazon.com. I'm actually redirected to these sites which redirects back to Amazon.com. I searched a lot regarding these domains and came across this link - ddecode.com.

Also came across this site alestat which also indicates connections between amazon, ezshoplist.me and alecyueee.us

Can someone help me understand what this code does?
Has my Amazon credentials/session been compromised?
How do I figure out which extension is the culprit?

As of now, I'm using a Chrome extension - Block site, to block these two sites and it does a pretty good job in doing the same. But I would like to get this removed. Virus/Malware scan with ClamXav and AVG free did not help.

Browser : Chrome
OS: Mac OSX 10.7.5

rajivvishwa

Posted 2013-09-11T15:55:15.750

Reputation: 31

2In the worst case you have a malicious infection. In the best case you have a fake/adware extension installed. What have you done to clean your system? Have you simply deleted your Chrome profile? Once you resolve this problem you should change your Amazon credentials. – Ramhound – 2013-09-11T15:56:48.030

As mentioned I've scanned system with antivirus/malware. I uninstalled chrome, cleared profile etc, reinstalled it and sync'd my extensions back from cloud. I still have the issue. I'll change my Amazon credentials only after making sure that issue is completely resolved. But I need help on that. – rajivvishwa – 2013-09-11T16:00:47.310

Skip syncing the profile, and I glazed over the fact your on OS X, so a malcious infection is highly unlikely. Which leaves a malicious ( i.e. unwanted behavior ) extension installed by you. Does this happen with Safari or Firefox? I suspect its your DNS or ISP Provider introducing this behavior through javascript. – Ramhound – 2013-09-11T16:18:18.810

Forgot to mention - I'm using Google DNS servers, my hosts file is clean too. This is happening only on Chrome (Not on incognito). Its clear that some extension is causing the issue. And someone has posted the code of extension in link mentioned in my post. But I'm not sure I could figure out what it does. If I could figure out I may be able to track the extension and remove it. And of course, report it to Google. – rajivvishwa – 2013-09-11T16:49:52.837

Process of elimination is the best way to find this. Remove one extension at a time until the problem returns. Syncing your profile after the removal of the profile is likely the reason it returned. Try starting chrome with extensions to verify its actually an extension doing it. – Ramhound – 2013-09-11T16:56:25.537

Ya, was lazy to do that.. But looks like I'm left with no option :) Let me try that. – rajivvishwa – 2013-09-11T17:01:31.270

I did that and I then enabled one by one. Now all are enabled. I no longer see the redirection issue.. yet. Not sure what happened. Now I wont be able to investigate the problem. – rajivvishwa – 2013-09-11T18:17:05.563

Update - Redirection still happens. I observed that I was redirected from tripadvisor too. Since this doesn't happen all the time I dont think toggling my extensions are going to help. I need to understand which extension initiates the redirection. – rajivvishwa – 2013-09-13T01:45:50.253

Answers

In my case, this was a Youtube Ad Blocker that was taking me to http://alecyueee.us/ext

user728833

Posted 2013-09-11T15:55:15.750

Reputation: 11

Solution: Remove the extensions from your browsers and synced accounts.

Details:

Looks like these extensions take away video ads, but do provide methods which inject affiliate links.

Their terms for the Video Ad Blocking are not on the chrome webstore, but to provide the free service, the urls pointing to ezshoplist.me use affiliate linking: https://web.archive.org/web/20170626194757/http://ezshoplist.me

Found the IP here:

http://viewdns.info/reverseip/?host=162.243.254.224&t=1

johnathankent

Posted 2013-09-11T15:55:15.750

Reputation: 11

I have the same thing. I've got 3 computers all synced by Chrome and the problem comes back. Mac and PC both do it. It is basically an affiliate redirect so someone is getting paid every time, which I wouldn't mind if I knew who it was. eliminating now so will post results. I reckon it's Adblock Plus but can't be sure.

EDIT: Ironically it looks to be the DoNotTrackMe extension! ABP seems to be fine.

John Lewis

Posted 2013-09-11T15:55:15.750

Reputation: 11

Please be more precise with the answer - is it now the "DoNotTrackMe" extension? Was the problem solved after you deleted the extension? – FiveO – 2014-06-26T10:15:35.243

i think i have found the culprit, there is code in the chrome extension "Fabulous for Facebook" that redirects the browser when visiting amazon, just like in the OP. – mack nordstrum – 2014-08-29T16:08:50.830

I think i have found the extension causing your issue. I was a bit suspicious of the extension so checked out its code, and found an obfuscated bit of javascript that seems to do what you are suggesting. The extension is called "Fabulous for Facebook". Do you have that installed? If so, uninstall it, and the problem should go away.

mack nordstrum

Posted 2013-09-11T15:55:15.750

Reputation: 264

In my case, the problem was a chrome plugin/extension called "Photo Zoom for Facebook". This plugin/extension used to open a new tab each time I opened Chrome in Incognito mode and automatically go to http://alecyueee.us/ext url which then redirected me to download a plugin/extension called "Fabulous for Facebook".

Please do not use this plugin (Photo Zoom for Facebook) and not only disable but remove it from your chrome, it maybe tracing your secret data. So better to be careful.

Google should check before adding these extensions to their store.

Guman Thakur

Posted 2013-09-11T15:55:15.750

Reputation: 11