Photo: In Green / Shutterstock.com
A threat actor leveraged compromised developer accounts to distribute malicious updates to Chrome extensions through the Chrome Web Store, affecting 3.2 million users. The attack, first identified in December 2024, involved injecting harmful scripts into 16 seemingly legitimate extensions, enabling large-scale data exfiltration.
Google removed the malicious extensions from the Chrome Web Store. However, the removal does not trigger automatic uninstallation, leaving affected users vulnerable unless they manually remove the extensions, reports The Hindu.
Here’s a list of extensions:
- Blipshot: one click full page screenshots
- Emojis – Emoji keyboard
- WAToolkit
- Colour Changer for YouTube
- Video Effects for YouTube And Audio Enhancer
- Themes for Chrome and YouTube Picture in Picture
- Mike Adblock für Chrome | Chrome-Werbeblocker
- Page Refresh
- Wistia Video Downloader
- Super dark mode
- Emoji keyboard emojis for Chrome
- Adblocker for Chrome – NoAds
- Adblock for You
- Adblock for Chrome
- Nimble capture
- KProxy
The attack originated with phishing campaigns targeting extension developers. Once the attackers gained control over developer accounts, they introduced malicious updates to various extensions, including emoji keyboards, screen capture utilities, ad blockers, and proxy services.
These extensions functioned as advertised, making it difficult for users to detect them as malicious. Upon installation, the extensions communicated with a configuration server, relaying version details and unique identifiers.
They then dynamically retrieved and stored configuration data, determining subsequent malicious activity. Notably, the extensions stripped the Content Security Policy (CSP) header from websites visited by affected users. This CSP removal exposed users to cross-site scripting (XSS) and other injection-based threats, violating Chrome Web Store policies.
Each compromised extension was linked to a distinct configuration server, separate from its primary application infrastructure. The attackers delivered second-stage payloads through these servers, which were likely injected web pages via the infected extensions.
Key techniques include intercepting HTTP headers and DOM contents, injecting obfuscated JavaScript to manipulate search engine results, bypassing ad-blocking filters to ensure advertising revenue, blocking Microsoft tracking services, and collecting extensive user browsing data.
Researchers also discovered that some injected scripts were traced to phishing kits impersonating institutions like McGill University and Switzerland’s SBB SFF FFS railway, further linking this operation to broader cyber intrusion activities.
In the News: Indian doctor falls prey to malicious APK cyber fraud, loses 6 lakh
