Threat actors have compromised 35 Google Chrome extensions in a targeted phishing campaign and potentially exposed the data of approximately 2.6m users. The attack targeted Chrome extension developers through deceptive emails, resulting in the injection of malicious code into widely used extensions.
The most recent phishing offensive began in December 2024, according to reports from affected developers on LinkedIn and Google Groups. However, related command-and-control infrastructure was operational as early as March 2024, according to reporting by BleepingComputer, suggesting a long-planned operation.
Sophisticated phishing emails mimic Google communication
The attackers used emails that appeared to originate from Google, warning developers that their extensions were in violation of Chrome Web Store policies. These emails cited issues such as “unnecessary details in the description” and directed recipients to a link that purported to provide further information.
“I just wanted to alert people to a more sophisticated phishing email than usual that we got, which stated a Chrome Extension policy violation of the form: ‘Unnecessary details in the description,'” wrote a targeted developer on the Chromium Extensions Google Group. “The link in this email looks like the webstore but goes to a phishing website that will try to take control of your Chrome extension and likely update it with malware.”
Clicking the link redirected developers to a legitimate-looking Google-hosted login page for a malicious OAuth application titled “Privacy Policy Extension.” Once developers authorised the application, the attackers gained access to their Chrome Web Store accounts. This method bypassed multi-factor authentication (MFA) since OAuth processes do not require additional MFA prompts.
Cyberhaven, one of the affected developers, stated in a detailed analysis that an employee had completed a standard process which inadvertently resulted in the authorisation of the malicious third-party application. “The employee had Google Advanced Protection enabled and had MFA covering his account,” said Cyberhaven. “The employee did not receive an MFA prompt. The employee’s Google credentials were not compromised.”
Using the unauthorised access, the attackers modified the targeted extensions by injecting malicious files such as ‘worker.js’ and ‘content.js.’ These files were designed to extract data from Facebook accounts, including user IDs, access tokens, account information, and interactions with CAPTCHA and two-factor authentication mechanisms.
The altered extensions were then republished as updated versions on the Chrome Web Store. Analysis showed that users who installed these extensions unknowingly exposed their Facebook accounts to the malicious code, which exfiltrated data to the attackers’ command-and-control servers.
Extension Total, a service tracking compromised Chrome extensions, reported that 35 extensions were confirmed to have been modified. However, pre-registered domains associated with the campaign suggest that the attack may have targeted additional extensions.
The attackers’ activities focused on hijacking Facebook business accounts. Compromised accounts were used for making unauthorised payments, launching phishing campaigns, or selling access to other malicious actors.
Read more: Zero-day vulnerability in Google Chrome browser exploited in the wild
