Let's buy some fake reviews for a pointless Chrome extension
Braving the depths of the "Extension Spam Lagoon"
When publishing an extension to the the Chrome Web Store, you’re required to publish a developer email - ostensibly to give users a way to contact you. This also opens the “Extension Spam Lagoon” dump valve into your inbox.
If your extension has a lot of users, the spammers want to buy your extension for vague reasons like “adding it to their portfolio”.
If your extension doesn’t have a lot of users, the spammers want you to buy their “promotional services” to boost the number of users and reviews - completely legitimately, of course.
To find out what fake reviews actually look like, I’ll publish a brand new extension that nobody would ever use or review, and buy some fake reviews for it.
Step 1: Publish a pointless extension
First, I’ll need a totally useless Chrome extension. How about one that displays the first byte of the HTTP response?
The extension will send a request to the active tab’s URL and show the result in a popup:
Source: https://github.com/msfrisbie/first-byte
(Never mind that this doesn’t account for authentication. It just needs to be as useful as a chocolate teapot.)
Since the extension uses the less-invasive activeTab
permission, it was rapidly approved for the Chrome Web Store: https://chromewebstore.google.com/detail/first-byte/nkikhefaobjaccmcngakfmelebahleea
Step 2: Lie in wait
It did not take long for the lagoon to find me. Here’s the top of my inbox the next morning:
I’m assuming these people are running a recurring scrape of the Chrome Web Store and cold emailing new entries.
I chose the emailer who judiciously applied their Shift key. Here’s the full initial email:
From: Fake Review Guy
To: Matt FrisbieHello,
Hope this message finds you well.
I'm Fake Review Guy, a digital marketing expert specialized in products and service promotion. I came across your extension on the Chrome Web Store via Chrome stats. It has quite a good number of users but low reviews/ratings... Chrome has an algorithm of promoting and featuring extensions with a lot of engagements to get more visibility and recommendations... I have a strategy that will get your extension more engagements by providing positive reviews about your extension and also by getting the targeted audience for massive installs... We can add 100-200 reviews to your extension and note the reviews are real and organic...
Gladly and kindly respond to this message. Let's collaborate and take your extension to a higher level.Do you mind if I share my suggestion?
Before buying any fake reviews, I wanted to extract as much info from them as I could. First, I asked how they claim to get these reviews. The response:
Firstly I get the reviews and installs from real users organically....
How do I do this?
I reach out to them via Social Media Ads, Google ads and some Social Media groups and pages and channels as well....
NOTE: We don't use bots to get the downloads because we understand the terms and conditions of the Chrome Web Store. I do not offer fake reviews and I get my reviews by giving them an irresistible offer so they would be compelled to drop a review and I can guarantee you 100% that all reviews are legitBENEFITS OF PROMOTION:
We understand the algorithm of the Web Store in featuring extensions to get recommendations and visibility. And they feature extensions with lots of engagements that's extensions with a good number of installs and reviews. So after promotion and we add more users and reviews to your extension it will be more visible and will have a good ranking on the Web Store search engine.
Let me know what your budget is and the number of installs and reviews you want us to start working on properly then I will give you my pricing plan.
Who could possibly poke holes in this?
First, I asked who “we” was:
My team
…and the max number of reviews they could do:
1000 is the highest we can do.
And the reviews are real and organic...
Next, I asked for examples of extensions they had worked with before:
No good way of knowing if these are legit or not. Finally, I asked how much per review:
For the review, I will charge $1 per review, paypal or crypto...
Once you make the payment, I will get started immediately with my team
$1 per review? That’s like one AdSense click. Their conversion rate must be the envy of every digital marketing agency!
I’m sold, let’s pull the trigger!
Step 3: Buying fake reviews
My budget for this project was $30. After a bit of haggling, they agreed to 50 users and 10 reviews. I sent the payment, and waited.
The next morning, I woke up to find that Santa had come!
Check out the fake reviews here: https://chromewebstore.google.com/detail/first-byte/nkikhefaobjaccmcngakfmelebahleea/reviews
I was surprised at how believable these reviews were, so I’m assuming they’re AI-generated.
Takeaways
The battle against paid fake reviews will never be won, but there should be at least a tiny bit of friction to deter fake reviews.
Here’s the Chrome Web Store policy on user reviews:
Google doesn’t verify the authenticity of reviews and ratings
With no verification of authenticity, and with the newfound saturation of LLMs, of course extension reviews are going to become an unreliable swamp.
Users need reliable reviews to make informed software decisions.
The first line of defense against malicious extensions should be the Chrome Web Store detecting these extensions and expelling them, but currently this is the only line of defense.
Some ideas to solve this problem:
Encourage more reviews from real users. There are plenty of high-quality extensions out there with large numbers of happy users, but it’s completely up to extension developers to push their users to leave reviews. More should be done from Chrome’s side to encourage reviews from real users, à la Google Play and the App Store reminding users to review.
Automatically discard untrustworthy reviews. Google is going all-in on AI, and they have a huge corpus of extensions, reviews, and account/browser metadata. If even 1% of the sophistication of detecting fake ad clicks is applied here, the improvement would be substantial.
Give users a way to learn about the accounts behind these reviews. Other than a name and avatar image, there is no way for a user to learn anything about the identity of someone who leaves a review, positive or negative. People are pretty good at identifying suspicious accounts. Reddit’s model of public comments/posts is a good example of this.
Matt Frisbie is a Web Extensions Google Developer Expert
I first saw your GitHub repo, then opened the chrome webstore page and saw these reviews, got totally confused about what are you upto, you even mentioned it in the Readme and that made me wonder can't you see they are fake, and then I saw this post XD...
This is a genuine issue and Google should do something about it. Thanks for doing this experiment and showing the dark sides of Chrome extensions.
This is a very interesting concept and I was surprised about how many emails you got within a day or so, I now know that I should take all reviews with a grain of salt just in case.