On December 24, 2024, cybercriminals managed to compromise a Google Chrome extension offered by the cybersecurity company Cyberhaven. As the company explains in a blog post, hackers carried out a phishing attack in order to take control of an administrator account.
In concrete terms, an employee of the firm fell for a phishing email. At the end of the attack, the hackers obtained the "credentials of a Cyberhaven employee on the Google Chrome Web Store". With this information, the hackers were able to break into the account and upload a malicious version of the extension. The pirated version was also installed on computers where Chrome automatically updates itself.
Facebook Ads Data Theft
Once downloaded by Chrome users, the extension siphoned off personal data.Its primary target was users of Facebook Ads, an advertising platform used to create and manage advertising campaigns on Facebook. The data targeted included identifiers, access tokens, browser cookies, and other information related to Ads accounts.
Cyberhaven quickly became aware of the attack. The company removed the fraudulent version of its extension within an hour of going live. The damage was limited. As a precaution, the company recommends that customers change all passwords, verify that the patch has been installed, and scan their tools for suspicious activity.
18 Compromised Extensions
Unfortunately, the attack is not limited to Cyberhaven. According to information obtained by our colleagues at Bleeping Computer from security researchers, a similar cyberattack allowed hackers to compromise other popular Chrome extensions. Here is the full list of affected extensions:
- Bookmark Favicon Changer
- Castorus
- Wayin AI
- Search Copilot AI Assistant
- VidHelper
- Vidnoz Flex
- TinaMind
- Primus
- AI Shop Buddy
- Sort by Oldest
- Earny
- ChatGPT Assistant
- Keyboard History Recorder
- Email Hunter
- Internxt VPN
- VPNCity
- Uvoice
- ParrotTalks
These extensions have over 380,000 downloads on the Chrome Web Store. All of these extensions contained the same malicious code that was identified in the compromised version of Cyberhaven. Be careful, it is possible that other extensions have fallen into the hackers' net, without the researchers discovering them.
Wave of attacks on Christmas Eve
As Cyberhaven points out, the offensive is part of "a larger campaign targeting Chrome extension developers within many companies". According to the researchers’ investigation, many extensions were hacked at the same time, on Christmas Eve.
The hackers were apparently counting on the holiday season, which keeps developers away from their offices, to strike without being immediately detected. This is a common tactic among cybercriminals. It consists of orchestrating an offensive when offices are closed, at night or on weekends. However, some extensions were hacked as far back as mid-December.
Source: Bleeping Computer
0 Comments