Several Chrome Extensions Injected With Malicious Codes

A new hacker trend has emerged where several Chrome extensions were injected with malicious codes for a phishing campaign against Ad and AI platforms.

A recent analysis by the cybersecurity company CyberHaven revealed that a sophisticated phishing campaign compromised several Google Chrome extensions. As mentioned in the blog post by the company, the hackers gained access to the admin accounts of these extensions and added malicious code to them.

These attacks happened in December and in a gradually phased manner, targeting logins specific to social media advertising and AI platforms. A few other extensions were also impacted, tracing back to mid-December, including ParrotTalks, Uvoice, and VPNCity.

CyberHaven has already notified its customers as soon as it identified the phishing attack. The company advised changing passwords and other credentials in an urgent email sent to all internal employees and customers. After a thorough analysis of the nature of the attack, the cybersecurity team discovered that the scammers targeted Facebook Ad users.

The attackers tried to steal data such as access tokens, user IDs, and other credentials, including their cookies. “After successfully sending all the data to the [Command & Control] server, the Facebook user ID is saved to browser storage. That user ID is then used in mouse click events to help attackers with 2FA on their side if that was needed,” said CyberHaven’s analysis.

The attack was first detected on December 25, and the company quickly resolved the issue by removing the malicious version of the extension in less than an hour. The company has also pushed a cleaner version of the extension in its latest update, ensuring such attacks do not compromise their client data again.

The recent attack signifies the risk of sharing your personal information online, which has almost become inevitable for any business or individual to access services, products, and other useful online assets.