DomainTools researchers have discovered a massive data theft campaign on Chrome. The cyberattack relies on more than 100 malicious extensions that impersonate known and legitimate services, such as YouTube, DeepSeek AI, Calendly, and VPNs.
These fraudulent extensions are promoted through fake websites. Researchers have also identified 100 domain names linked to the campaign. To propagate the sites, the cybercriminals used malicious advertisements. The cyberattack has been ongoing since "at least February 2024."
A dual functionality to fool Internet users
On the malicious site, there is a button titled "Add to Chrome." This will open a page on the Chrome Web Store dedicated to the booby-trapped extension. The user only has to install the extension on Google's official platform. It's therefore difficult to blame Internet users who have fallen into the trap.
Once installed, the extensions will partially function as intended to lull Internet users' suspicions. At the same time, the extensions will siphon off user data, such as cookies, browsing history, and session tokens. This information could lead to the takeover of your online accounts. The report states that "these extensions often have a dual function: they appear to perform their role normally, while connecting to malicious servers to transmit user data." To achieve their goals, the extensions will request "excessive permissions to interact with each site the browser visits." That's why you should be wary of extensions that require a host of permissions to work.
Google removes some extensions
Unsurprisingly, Google was quick to remove all fraudulent extensions from its Chrome Web Store. Unfortunately, some fraudulent extensions are still available on the platform. As DomainTools points out, "the persistence of the malicious actor, as well as the delay in detection and removal, poses a threat to users looking for productivity tools and extensions to enhance their browser."
The researchers recommend being wary of any extensions that aren't offered by reputable developers. Before installing an extension found online, take the time to check the publisher's name and read other users' reviews. In addition, "regularly review your installed extensions, removing any that you don't need or that you find suspicious." These precautions often help detect scams.
Source: DomainTools
0 Comments