Last week, hackers took advantage of Christmas Eve to compromise popular Chrome extensions. Cybercriminals slipped malicious code into a new version of the extension by exploiting developer accounts on the Google Chrome Web Store. These new versions were downloaded and installed by Internet users. The extensions were then able to siphon part of user data.
According to investigations carried out by Cyberhaven, one of the targets of the cyberattack, the hackers compromised a total of 36 Chrome extensions to achieve their ends. According to the cybersecurity company, these extensions have more than 2,600,000 users. Cyberhaven says it continues to “monitor for other infections”.
Also read: massive theft on Google Chrome – ransomware steals Internet users’ passwords
At the origins: a sophisticated phishing campaign
A few days after the events, it turned out that the entire operation was based on a extensive phishing campaign aimed at extension developers. As our colleagues at Bleeping Computer report, a wave of phishing began at the beginning of December 2024. However, the hackers have been preparing the attack since last March.
The attack begins by sending a phishing email directly targeting Chrome extension developers. To fool their targets, hackers use domain names like supportchromestore.com, forextensions.com or even chromeforextension.com.
On Google Group, a developer indicates having received “a more sophisticated phishing email than usual”. This warned users against “an alleged violation of the Chrome Extensions Policy, specifically for a reason titled: Unnecessary details in description”.
By pretending to be Google, the attackers claim that the extension risks being deleted because of an inadequate description. Unsurprisingly, the email encourages developers to correct the situation as quickly as possible by clicking on a link to the Chrome Web Store.
“The link in this email looks like the official store one, but it redirects to a phishing site designed to try to take control of your Chrome extension, probably with the intention of updating it with malware »testifies the developer, referring to the wave of offensives that occurred on New Year’s Eve.
This is a particularly classic process for hackers specializing in phishing attacks. Once arriving on the fraudulent page, the targeted developer will be asked to grant hackers permission to manage extensions from the Chrome Web Store through their account.
To do this, hackers use a malicious OAuth application, devoid of a double authentication system. This is a standard authorization protocol that allows a third-party application to access protected resources on another service, without the user needing to share credentials, such as passwords. In just a few clicks, developers give power to cybercriminals.
???? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Bleeping Computer
