Criminals have hijacked dozens of popular browser extensions in a bid to target Google Chrome users and steal sensitive data, like passwords. The devastating campaign started last month and shows no sign of slowing.
According to experts, attackers managed to infiltrate at least 35 of these popular extensions by stealing the login credentials of the developers who work on these small apps — even bypassing two-factor authentication.
Once the crooks had managed to access developers' accounts, they leveraged these extensions to harvest Facebook login details from unsuspecting users. Experts believe this is a coordinated campaign to siphon sensitive data through multiple extensions.
Chrome is the most popular browser on the planet, with an estimated 3.4 billion people relying on the Google-designed app to access the internet worldwide. With so many people reliant on Google Chrome every day ...it's no surprise this web browser has such an immense target on its back.
Extensions are applications that can be installed in the Chrome browser to change its functionality. These can be used to automate certain functions or add new functionality.
One of the most recent extensions to fall into the hands of hackers was Cyberhaven, which confirmed that it had been hit by "a malicious cyberattack" on Christmas Eve that affected their Chrome extension.
Cyberhaven is designed to safeguard your data, but following a breach, the Google Chrome extension can siphon private data
CYBERHAVEN PRESS OFFICE
In a cruel twist, Cyberhaven is designed to protect users from critical insider risks to the most sensitive data, so those who had the extension installed in their Chrome browser were clearly already conscious about cyber-security and making an effort to shield themselves.
Speaking to Reuters, the California-based data protection company acknowledged that cybersecurity experts had identified the breach as "part of a wider campaign to target Chrome extension developers across a wide range of companies."
Cyberhaven stated they are "actively cooperating with federal law enforcement" in response to the incident.
The full geographical extent of the hacking campaign remains unclear at this time.
Jaime Blasco, co-founder of Texas-based Nudge Security, reported identifying multiple Chrome extensions that had been compromised in the same manner as Cyberhaven. At least one of the affected extensions was targeted as early as mid-December, according to Blasco's findings.
The compromised extensions included those related to Artificial Intelligence (AI) and VPNs (Virtual Private Networks), suggesting a broad attack strategy from the hijackers.
Blasco believes the campaign was not specifically targeting Cyberhaven, stating: "I'm almost certain this is not targeted to Cyberhaven. If I had to guess, this was just random."
The attack appears to be an opportunistic effort to collect sensitive data through as many compromised extensions as possible.
The compromised extensions pose a significant security risk, with hackers specifically targeting users' Facebook login credentials through the malicious code updates.
The breach demonstrates how established Chrome extensions can be weaponised against their users when developers fall victim to sophisticated phishing attacks.
According to experts, the widespread phishing campaign started with fraudulent emails sent to extension developers, claiming their products violated Google's policies and faced potential removal. Developers were prompted to click a Go To Policy button within these fraudulent emails, which directed them to a convincing but fake website.
The malicious site presented a counterfeit Google account login page designed to harvest developer credentials. Once attackers obtained these login details, they were able to access the extension's code and upload malicious updates.
LATEST DEVELOPMENTS
The sophisticated nature of the attack allowed hackers to bypass Google's security measures with concerning ease, even when developers had enabled two-factor authentication on their accounts.
Chrome users who've installed any recently compromised extensions may have had their Facebook login details stolen, potentially exposing their accounts to unauthorised access. If you suspect that your account might have been compromised, change your password as soon as possible.
