Chrome extensions have become a prime target in a sophisticated attack campaign that compromised at least 25 popular browser add-ons. This breach exposed over 2.6 million users to risks such as data theft and stolen credentials.
Attackers used phishing emails that were designed to seem like official emails from the Chrome Web Store to target extension creators. These deceptive emails created a false sense of urgency, tricking developers into granting access to malicious applications. After gaining access, attackers were able to steal cookies and user access tokens by inserting malicious code into trustworthy extensions.
Cybersecurity company Cyberhaven revealed a phishing attack on December 24, where attackers targeted one of its employees to access a Chrome Web Store admin account. The hackers used these credentials to release a malicious update for the well-known Chrome addon from Cyberhaven.
The update, released on Christmas Day, aimed to steal sensitive user data, including passwords, session tokens, Facebook account details, and cookies. On December 27, Cyberhaven announced that the attackers had injected malicious code into the extension.
This malware downloaded additional configuration files, exfiltrated user data, and communicated with a command-and-control (C&C) server hosted on the domain cyberhavenext[.]pro.
The attackers sent a phishing email spoofing Google Chrome Web Store Developer Support. The email made a fake claim that the extension violated Developer Program Policies. This created a sense of urgency, which resulted in the hack.
In an additional technical report, Cyberhaven claimed:
The attacker gained requisite permissions via the malicious application (‘Privacy Policy Extension’) and uploaded a malicious Chrome extension to the Chrome Web Store. After the customary Chrome Web Store Security review process, the malicious extension was approved for publication.
Cyberhaven’s internal security team detected and removed the malicious package within an hour of discovery. Prominent clients of Cyberhaven include Kirkland & Ellis, AmeriHealth, Reddit, Canon, Snowflake, and Motorola.
Extensions Compromised by Data-Stealing Code
Cyberhaven’s disclosed breach parameters reveal that the intrusion is a component of a major campaign. Hackers are targeting Chrome extension developers from various businesses to steal sensitive information from websites such as Bank of America, American Express, Zoom, and 23andMe.
Researchers discovered over two dozen compromised Chrome extensions by analysing code and URLs, with at least eight extensions connecting to the obscure domain sclpfybn[.]com.
Compromised extensions include Bookmark Favicon Changer, Castorus, Wayin AI, Search Copilot AI Assistant, VidHelper, Vidnoz Flex, TinaMind, Primus, AI Shop Buddy, Sort by Oldest, Earny, ChatGPT Assistant, Keyboard History Recorder, and Email Hunter. Collectively, they have amassed nearly 380,000 downloads.
Google appears to be aware of the attack. Developers on Reddit reported that the Chrome Web Store removed the Moonsift extension on December 10, 2024. This suggests a mass attack effort targeting trustworthy browser addons, not a single incidence.
According to Secure Annex creator John Tuckner, the campaign might begin as early as April 2023. Domain registrations like nagofsg[.]com in August 2022 and sclpfybn[.]com in July 2021 provide as evidence.
I’ve linked the same code present in the Cyberhaven attacks to related code (let’s say Code1) in an extension called ‘Reader Mode. The code in ‘Reader Mode’ contained Cyberhaven attack code (Code1) and an additional indicator of compromise “sclpfybn[.]com.
The compromised Cyberhaven add-on featured malicious code aimed at stealing identity data and access tokens from Facebook accounts, with a particular focus on Facebook Ads users. It also tracked mouse clicks on Facebook[.]com, looking for photos with “qr/show/code” as the source property.
The system sent captured images to a command-and-control (C&C) server. This behavior suggests an attempt to exploit QR codes to bypass security measures like two-factor authentication (2FA).
Additional compromised extensions, such as Visual Effects for Google Meet, Rewards Search Automator, Tackker, Bard AI chat, and Reader Mode, have since been removed from Chrome’s Web Store.
Cyberhaven has expanded its investigation into the breach by bringing in cybersecurity experts at Mandiant and federal law enforcement. The company said, “We are committed to our core values of maximum transparency to uphold the trust you have placed in us,” highlighting its commitment to transparency and customer trust.
On December 26, the company released a clean version of the extension (v24.10.5), urging users to upgrade to this latest version. The company also recommended revoking non-FIDOv2 passwords, rotating API tokens, and reviewing browser logs for suspicious activity.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.
