Hackers successfully infiltrated several Chrome extensions this month by injecting malicious code after gaining access to admin accounts through a phishing campaign. The cybersecurity firm Cyberhaven disclosed in a blog post over the weekend that its Chrome extension was compromised on December 24. The attack seemed to be aimed at “targeting logins to specific social media advertising and AI platforms.”
Reuters reported that several other extensions were also affected, dating back to mid-December. According to Jaime Blasco of Nudge Security, the compromised extensions include ParrotTalks, Uvoice, and VPNCity.
Cyberhaven informed its customers about the breach on December 26 through an email obtained by TechCrunch. The email advised customers to revoke and rotate their passwords and other credentials. Cyberhaven’s initial investigation revealed that the malicious extension specifically targeted Facebook Ads users, aiming to steal data such as access tokens, user IDs, and other account information, along with cookies. The malicious code also included a mouse click listener.
Cyberhaven explained in its analysis;
After successfully sending all the data to the [Command & Control] server, the Facebook user ID is saved to browser storage. That user ID is then used in mouse click events to assist attackers with 2FA on their side if that was needed.
Cyberhaven first detected the breach on December 25 and managed to remove the malicious version of the extension within an hour. The company has since released a clean version of the extension.