Over 40 Malicious Chrome Extensions Impersonate Popular Brands to Steal Sensitive Data
Cybersecurity firm LayerX has uncovered over 40 malicious Chrome browser extensions, many of which are still available on the Google Chrome Web Store.
These extensions, part of three distinct phishing campaigns, were designed to impersonate well-known and trusted applications and brands.
Detailed Analysis Reveals Impersonation Tactics
LayerX, building off initial research by the DomainTools Intelligence (DTI) team, conducted a comprehensive analysis of suspicious URLs flagged for communicating with malicious extensions.
By analyzing the metadata associated with these extensions, including their IDs, names, publishers, and publication dates, LayerX was able to identify the breadth and depth of this widespread campaign.
The malicious extensions were engineered to mimic popular tools and brands such as Fortinet’s FortiVPN, Calendly scheduling software, YouTube helper tools, and cryptocurrency utilities like DeBank, thereby leveraging the credibility of these brands to bypass user suspicion.
These extensions not only forged domain names that closely resembled legitimate ones, such as calendlydaily[.]world or calendly-director[.com], but also used independent domains for their publisher contact information to enhance their deception.
AI and Automation in Extension Creation
A striking aspect of this campaign was the use of AI to auto-generate extension pages.
The structure, formatting, and language of these pages were almost identical, indicating a systematic approach to creating these deceptive tools.
This automation allowed threat actors to rapidly deploy numerous extensions with minimal manual work, significantly scaling their phishing operations.
The extensions provided attackers with persistent access to user sessions, enabling data theft, identity impersonation, and potentially infiltrating corporate environments.
The installation of these extensions allowed hackers to steal sensitive information, including login credentials, personal data, and business secrets.
The discovery of these malicious extensions underscores the vulnerability of browser extensions as a vector for cyber threats.
LayerX has outlined several proactive steps organizations can take to mitigate these risks:
- Block Malicious Extensions by Extension ID: Although this method is labor-intensive, it involves manually blocking known malicious extensions through MDM or browser policy enforcement.
- Implement Extension Hygiene: Limiting the installation of extensions to only verified or established publishers, avoiding recently published tools, and being wary of extensions with low review counts or suspicious permission requests can help.
- Post-Removal Actions: Even after extensions are removed from the Chrome Store, active user installations remain unless manually uninstalled. Therefore, users and IT departments must remain vigilant.
According to the Report, LayerX also offers specialized solutions for managing browser security, including real-time monitoring, risk classification, and automated blocking of malicious extensions, which can provide a more robust defense against such threats.
This campaign demonstrates the sophistication of modern phishing attempts, using AI to craft believable fronts for malicious activities.
Organizations must adapt their security strategies to include stringent browser extension management to protect against these covert threats.
Indicators of Compromise (IOC):
| Extension ID | Extension Name | Publisher |
|---|---|---|
| ccollcihnnpcbjcgcjfmabegkpbehnip | FortiVPN | https://forti-vpn[.com/ |
| aeibljandkelbcaaemkdnbaacppjdmom | Manus AI | Free AI Assistant |
| fcfmhlijjmckglejcgdclfneafoehafm | Site Stats | https://sitestats[.world |
| … | … | … |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
