How the Attack Happened

The attackers reportedly sent phishing emails masquerading as official notifications from Google Chrome Web Store Developer Support. These emails targeted extension developers, tricking them into granting OAuth permissions to their Chrome Web Store accounts. This allowed the attackers to bypass multi-factor authentication (MFA) measures and upload malicious versions of the extensions.

The injected malicious code is designed to extract sensitive data, including session tokens, cookies, and social media account credentials, with a particular focus on Facebook Ads dashboards. Investigators also found that the compromised extensions contained hard-coded command-and-control (C2) domains, enabling attackers to download configurations and exfiltrate user data remotely.

Extensions Affected

Some of the affected Chrome extensions include:

• AI Assistant
• VPNCity
• Reader Mode
• Web Mirror
• ChatGPT App
• Proxy SwitchyOmega (V3)
• Visual Effects for Google Meet

The complete list includes 35 extensions, with many still not addressed. Some extensions, such as “Bard AI Chat” and “Search Copilot AI Assistant,” have been removed from the Chrome Web Store entirely.

How It Works

Once installed or updated, the compromised extensions begin collecting user data, such as:

• Login credentials and cookies.
• User session tokens from platforms like Facebook.
• Sensitive business data, particularly from advertising accounts.

This stolen data is then sent to attacker-controlled C2 servers for further exploitation.

Primary Targets

The campaign has primarily targeted corporate accounts with access to paid advertising tools, aiming to gain control over business-critical assets. Security experts believe the attackers are also interested in exploiting vulnerabilities in AI tools and corporate platforms.

Key Incident

Cyberhaven, a California-based data protection company, disclosed that one of its extensions was compromised in this campaign. On Christmas Eve, attackers used phishing to gain access to an employee’s credentials and publish a malicious update to their Chrome extension (version 24.10.4).

Ongoing Investigations

Reports indicate that this campaign might have started as early as March 2024. While 35 extensions have been confirmed as compromised, researchers believe that more extensions may have been targeted.

How to Protect Yourself

To safeguard your data, take the following precautions:

1. Uninstall or Update Extensions: Immediately remove or update any extensions known to be compromised.
2. Reset Passwords: Change passwords for all accounts, especially those linked to compromised extensions.
3. Review Permissions: Check the permissions of all browser extensions and revoke unnecessary access.
4. Monitor Accounts: Watch for unusual activity in personal and business accounts, particularly on social media and advertising platforms.
5. Enable MFA: Strengthen your accounts with multi-factor authentication wherever possible.
6. Be Vigilant: Be cautious of emails claiming to be from official sources like Google, especially those requesting access or immediate action.

Developers: Stay Alert

Developers must adopt stringent security practices, including:

• Implementing robust application security checks.
• Regularly monitoring OAuth permissions.
• Educating teams about phishing threats.
• Verifying the authenticity of emails from official platforms.

What’s Next?

While many compromised extensions have been patched or removed, the threat is far from over. Security experts continue to analyze malicious payloads and uncover new C2 domains linked to this campaign. Users are advised to remain proactive in ensuring their online safety and to regularly verify the legitimacy of installed extensions.