Last week, hackers took advantage of Christmas Eve to compromise popular Chrome extensions. The cybercriminals slipped malicious code into a new version of the extension by serving up developer accounts on the Google Chrome Web Store. These new versions were downloaded and installed by users. The extensions were then able to siphon off some of the users’ data.
According to investigations conducted by Cyberhaven, one of the targets of the cyberattack, the hackers compromised a total of 36 Chrome extensions to achieve their ends. According to the cybersecurity firm, these extensions have a combined user base of over 2,600,000. Cyberhaven says it continues to "monitor for additional infections.".
The Origins: A Sophisticated Phishing Campaign
A few days after the incident, it turned out that the entire operation was based on a large phishing campaign targeting extension developers. As reported by our colleagues at Bleeping Computer, a wave of phishing began in early December 2024. However, the hackers have been preparing the attack since last March.
The attack begins with the sending of a phishing email directly targeting Chrome extension developers. To fool their targets, hackers use domain names like supportchromestore.com, forextensions.com, or chromeforextension.com.
On Google Group, a developer reported receiving "a more sophisticated phishing email than usual". It warned users of "an alleged violation of Chrome extensions policy, specifically for a reason called: Unnecessary details in the description".
By pretending to be Google, the attackers claim that the extension is at risk of being removed due to an inadequate description. Unsurprisingly, the email encourages developers to correct the situation as soon as possible by clicking on a link to the Chrome Web Store.
This is a particularly classic method for hackers specializing in phishing attacks. Once on the fraudulent page, the targeted developer will be prompted to grant hackers permission to manage extensions from the Chrome Web Store through their account.
To do this, hackers use a malicious OAuth application, which lacks a two-factor authentication system. This is a standard authorization protocol that allows a third-party application to access protected resources on another service, without the user having to share their credentials, such as passwords. In just a few clicks, developers are giving power to cybercriminals.
Source: Bleeping Computer
0 Comments