How to determine which Chrome extension is re-directing me to ad sites
Twice now, seemingly randomly, I've been redirected to an ad site.
I believe it has occurred both times when I have a new tab open, type what I'm searching for (Google is my default search engine), press enter and then end up on the ad page.
As these links could be malicious, I'd advise against visiting them without proper sandboxing/virtualization, but I'll share them in case it helps identify what the cause could be.
The most recent time the URL was this:
http://namtofe.com/r2.php?e=Q4NW4efEyAwmioHKz%2ByG0349fjR6bFlxWDhNdXhwKzczZkV1V0hvanIrbDRuOWtHRkd5T2srbzFOaEZqcGVQa1RVZ2RBZElhZkE2YlVtck1USzFkaG0zVCtRZm1JT1JheXZwWFNlb04wcWVFa1dyYy9sTUoxamozZ0dzZ0Vic0FDWjFYMHlncVhMTXEvWG5kcSthS1k1eXRROVBadTl1MVp2NHVMUzVHUDdNNUVUc2tGZkR6TGd2U0FvSG15OEZBVy8yUTd4MWVhcXJ6VWRQTHZOQ2VDQUVSZHQwSW9FdWpSdGZCYlN0VEY2WE9qOUl4NnRmdlZrT0hzVm5xb1plTitiMklaczI4MmNSVjFZU2J3aC9DcHM4djh0R0U3RkJubndwY3ExaVVEbTZ2aEMvQVErUGNCV2x0TE1TcDlhSGtZYTJpMHA5N3BreVZoQkpUUUpOc2Zqbk1SV1duWEJod2lFVFFzdm4vT2VjY2wxTjV0UUxEZEIrK2RyL0dtK2lnU2QzM1VRL0REVFRYN3FQZGh3djEwTUVSZ0NTZkgyVGpBSU51aGtYWVdrMzBRL2pQdkFYUDIvSHhPZHlWR2JTSkIzSWlOV0ZlS2J0dEJhdTlSZzRFb29iZ1BPK0Z1WlFaTHlidVZlSW52eVZMSGxqNml4Y0gzQ3BVMlNnK053Z2NLQjJseXY2THVGQU1tekR3Wkx1WGR4Rm1rSFpHKzc4UW45MXp2aXRYQmhBTWZWVi9MSUsxM3Q2TXgxZTBhaDVSR0ZWWHliQWhqTUJRK3htejF1NTl1VytUSDB1ZWV4RC9mUXN5T09iNE0wZzBTWVpWckJGZVg0K0tIL3dTR20rU0IvRFBDamNpR3FqZWpNTVRJcjVoKytScll4NDQxYWtibXJtZU1zVmJDQVFvOGpodyt0U3AvUWw2WVg1MW5tZlVteTVLVG13SHF2UWpxaUVVVWJKTHJtQ0NMWE11eDByQUFDakFuK3RvWUlzZXNhei9oVWl1em1GMjh6dmZjd3BFOVNmd2tmYnJIZ29JRnVHMXROYjZVSlFUOUV5RWxuYi9PN0IwUlE3Qi9JTzBhUnhkREJqTjZqYWJIaVNNL3JaS2Nyd2JuYjZYYTUxR3hpQ1M1VnFWTjBGSkVtWXcydEt5TXpvbFV1RW5Ra05KZlR3Y21VeS9ncGJncStoNE95WUVHY0QvYXY1elVmNENCSkwzSnc0
which redirected me to
https://www.mamma.com/extensions/?subid=529493018&cpv=0.020&utm_source=dsn&utm_medium=cpc&utm_campaign=launch&sid=202312290718523484ec0c1324aea708
Looking at my history, the first time this happened to me, the URL was this:
http://namtofe.com/r2.php?e=1DXwhfAHJdlpfIWR2E6i%2B349fmtCZFo4anNlQTFnOXRyYVBWOTFTZ2cxRlROM3ZQaXRJZmZxRWJWSU82NTBjUnJ3ZFNqT0pqNWhNdXM2M2lOaG9IVzcyc1FQdURnZ3FXc1pyU0huSTUvT2lCZUk2Sk5KeDBMeTJVMXovdDd6Rm9ubHFnN2x5S3o1VEFqSU1KNnBidjZZL1VQVkJMdHJxaWZXc3JRREhlejZWdGJ6ODE0eEpBb283UHBWN0FCR2VTaFBlQUx1OWhBbGV3QWkwMjdvS21hSWdtc0lxdFcxNmNaeEc1dUJGcW5VV2hXb2lISVZpYmNWZTR0dU5pdTNzM3FoVUVESHl4UFdkdXlsdnl0aDFPdmNWY2JLejRiekpxdDFXZVYrMnVsRWZVbXliRm9lNGVuNmJjVUJwWFJyQ0JQeWlPTHppS2xWNzVnL0JTSmtnVG1wc0sxdFJNQVVIamF6Z3B3KzgzNTRheXo5R2xSNkgrTFBGL1dmc1REV29WeE5rWXNpcHl6UWYxN2ZncUJJcDlsK0cya0d5OTFoaG8zTkZDMlFPOVlTTTAwQUpPV1lQQU9ncWNmNkd3WkpkWTNBbmNIb0U4OGNyREtJYlhIYUF2QVRrUDZQd01vdkxTRXNydFJINkhocTNOampicVY1T3dLaXZCZlhjZGI0SWdUTTNTNlp3K21OM1BWcXU5ODgwZklJVHVvdTY0SHVLdzRYR1FtZSt5K1Z3UG92MjA0NkN5SVdrZnBMbWorY1Bhc1AxeTZ2RTRDL2xNaUFLUzliQ3VRdTRYTGZkR3pSeUJOc1QrMXNRRmZERTFvZEVReHpXNkx4ZzZVM1kwUWNESTNtamY0aFhTdGxQTWNxc1BSTkJPVFRxK0l4aFVxdExqWUo1VnU2K0FEc0xPdVd4bVdSM2JXSmoxTXZVTmZFQkFaTUhKSk5QdXJyQzRPRC82elhsbjBDQXVOT1B6cmlMZXVvRXAraW5oQXdNQlpmMWxpUmhqUlBNdjhveGJja25XUzQyc0x6aUgvSUhQZ28yMFV1NHE4NXljTjFFa1lIYytIQ25weWZXbzNTZC8xWnJ2WmpJbURaV1BHZ29Gd3VhbE5SeHRNNXBQUzc1SmpjN1JQTUEzMVZ3QzBBRUVCb2pCL2k5KzZ0cG9oM2JZQWQ3WldtVWFnWDB6eUh1WVV3TERxM0hSQ0J5Y0FxcWQxdEI2RmdP
(not positive what it redirected to looking at my history.)
Technically I don't know that this is caused by a Chrome Extension, though I can't think of any Windows applications that I've installed that would be a likely cause of this. Most are widely used applications, tools used by businesses, small open source tools, or things I'm developing or modifying myself. Furthermore, if a desktop application were to open a malicious link, I imagine it'd do it in a new window, not in the currently active tab.
Likewise, if my router were hacked, that could possibly explain this, but I've never encountered this issue on any other devices: only on this single laptop.
Here are the Chrome extensions that I use:
- Ad Accelerator (speeds up YouTube ads, is open source)
- Application Launcher For Drive (by Google)
- Bitwarden (open source password manager)
- Fluff Busting Purity (cleans up Facebook)
- Google Docs Offline (by Google)
- Less Distracting Reddit (open source)
- Media Bias Fact Check - shows https://mediabiasfactcheck.com/ ratings on different sites
- Netflix Party is now Teleparty (watch Netflix, Youtube, Disney Plus, Hulu, HBO, and Amazon Prime Video in sync with friends)
- Return YouTube Dislike (shows estimation of number of dislikes, plus allows you to contribute to data by clicking the dislike button it adds)
- SingleFile (downloads a page as a single .html file)
- SponsorBlock for YouTube (skips over sponsored sections)
- uBlock Origin (open source ad blocker)
- Unhook - Remove YouTube recommended videos
- Video Speed Controller
- Webtime Tracker (keeps track of how much time I spend on different sites — doesn't require Internet access)
The permissions section for most of these extensions show that they can only modify data on specific domains, in addition to being able to read all browser history. However, from what I can tell, any Chrome extension can open new windows or redirect you to a different URL. Is there any way to determine which extension is doing so?
Since this occurs so infrequently, I'm not sure disabling and re-enabling Chrome extensions one extension at a time is a feasible plan. I suppose I only need a couple of these extensions, but I find them helpful for wasting less time on the Internet and staying more productive.
I understand that having 15 different extensions potentially presents a security risk, though I think the same could be said for installing any desktop application (unless properly sandboxed or virtualized, which is not made convenient in Windows, which I unfortunately need for work since certain performance sensitive applications don't work in Wine/Proton/etc.)
With my currently open browser tabs, the only extensions I see running in Chrome Task Manager are the following:
- Bitwarden
- Netflix Party
- SingleFile
- uBlock Origin
- Unhook
- Webtime Tracker
However, I suppose it's possible that extensions can have service workers that periodically will run but otherwise will not show up most of the time here (not sure.)
I tried searching for namtofe (the spam domain I was redirected to) in ...\AppData\Local\Google\Chrome\User Data\Default\Extensions in my IDE, but could not find it. Considering the URL was different both times, this isn't too surprising, as the extension likely fetched content from a different URL to see what URL the user should be redirected to.
Anyone have any tips? I'd like to remove and report whichever extension is causing this.
