In a technical overview, the researchers explained how they discovered unknown traffic to/from a server hosted on a European virtual private server provider originating from a Chrome extension titled "Change HTTP Request Header." ICEBRG analyzed this extension to comprehend the entire scope of its' capabilities and identified the cause of the sudden traffic spike.
They soon discovered it was generated by a Chrome extension called HTTP Request Header
as it used the infected machine to surreptitiously visit advertising-related Web links.
The data is passed using either HTTP request header
fields or request parameters .
Web switches look deep into the HTTP request headers
all the way down to the URL and cookies to determine what content is being requested.