Beware of the Stealthy Chrome Extensions!
In a recent shocking revelation, cybersecurity experts have uncovered a sinister plot involving five malicious Google Chrome extensions. These extensions, disguised as innocent HR and ERP platforms, are actually designed to hijack user accounts, leaving victims vulnerable to cyberattacks.
"These extensions are like a well-rehearsed orchestra, working together to steal authentication tokens and gain complete control over accounts," says Kush Pandya, a researcher at Socket. But here's where it gets controversial... these extensions are not just stealing data; they're blocking incident response capabilities, making it nearly impossible for security teams to take action.
The names of these malicious extensions are:
- DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph) - 251 installs
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf) - 101 installs
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam) - 1,000 installs
- DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg) - 1,000 installs
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij) - 27 installs
While most of these extensions have been removed from the Chrome Web Store, they still lurk on third-party sites, waiting to be downloaded by unsuspecting users. They promise access to premium tools, but their true intent is far more sinister.
The campaign, despite its two publishers, is believed to be a coordinated effort due to identical functionality and infrastructure patterns. The attackers exfiltrate cookies, manipulate the DOM tree, and facilitate session hijacking, all while remaining hidden in plain sight.
Once installed, DataByCloud Access requests permissions to access cookies, manage scripts, and store data across Workday, NetSuite, and SuccessFactors domains. It continuously collects authentication cookies and transmits them to the attackers' server every 60 seconds. Tool Access 11 takes it a step further, blocking access to critical administrative pages within Workday, preventing users from managing security settings and controlling sessions.
Data By Cloud 2 expands on this, blocking access to a total of 56 pages, including password changes and 2FA device management. It's a sophisticated attack, targeting both production and testing environments.
Data By Cloud 1, on the other hand, focuses on stealing cookies and preventing code inspection, ensuring its malicious activities remain hidden. Software Access, the most advanced of the bunch, combines cookie theft with the ability to inject stolen cookies, facilitating direct session hijacking. It even protects password input fields, making it harder for users to detect its presence.
What's even more intriguing is the identical list of 23 security-related Chrome extensions found in all five malicious extensions. This list includes popular tools like EditThisCookie and Cookie-Editor. Socket believes this is an attempt to monitor and flag any potential interference with their cookie harvesting objectives. The presence of this list across all extensions raises questions: is it the work of a single threat actor or a common toolkit shared among cybercriminals?
If you've installed any of these extensions, it's crucial to remove them immediately, reset your passwords, and review your account for any unauthorized access. The combination of continuous credential theft and administrative interface blocking creates a dangerous scenario where security teams are left helpless.
This article highlights the importance of staying vigilant and keeping your digital security up-to-date. Don't become a victim of these stealthy extensions! Stay informed and protect your online presence.
Have you encountered any similar threats? Share your thoughts and experiences in the comments below. We'd love to hear your insights and keep the conversation going!
