100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads
Summary:
Since February 2024, an unidentified threat actor has been creating malicious Chrome browser extensions that disguise themselves as legitimate utilities, such as productivity tools, media analysis assistants, VPNs, and crypto or banking services. These extensions are distributed through professional-looking websites that impersonate well-known services. While the extensions appear to function as advertised, they contain hidden capabilities designed to exfiltrate sensitive data, execute arbitrary code, and manipulate browser behavior. They enable actions such as credential and cookie theft, session hijacking, ad injection, malicious redirects, and phishing through DOM manipulation.
A key enabler of these attacks is the excessive permissions granted via the manifest.json file, which allows the extensions to interact with all sites visited in the browser. They also use techniques like triggering code execution via the “onreset” event handler on temporary DOM elements, potentially bypassing content security policy restrictions. The extensions establish WebSocket connections to function as proxies, further facilitating malicious traffic routing and external script execution.
Though the exact redirection methods to these fake sites remain unclear, DomainTools suggests common tactics like phishing and social media-based promotion, including Facebook ads and groups. The extensions are deceptively presented on the Chrome Web Store, making them discoverable through standard web and in-store searches. Many of the lure websites contained Facebook tracking IDs, reinforcing suspicions of Meta platform abuse in the delivery chain.
Security Officer Comments:
To date, over 100 fraudulent websites and Chrome extensions have been associated with the campaign, which remains unattributed. Google has removed the identified malicious extensions, but the campaign’s scope highlights ongoing threats within browser ecosystems. DomainTools also uncovered evidence of manipulation in the Chrome Web Store’s review system, where low-rating users were redirected to private feedback pages while high-rating users were funneled to the official review site, indicating deliberate efforts to skew public perception and conceal malicious intent.
Suggested Corrections:
All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions. Keep your browser and antivirus software updated, and regularly review your installed extensions, removing any you don’t need or find suspicious. Vigilance is key to avoiding these threats.
Link(s):
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
Since February 2024, an unidentified threat actor has been creating malicious Chrome browser extensions that disguise themselves as legitimate utilities, such as productivity tools, media analysis assistants, VPNs, and crypto or banking services. These extensions are distributed through professional-looking websites that impersonate well-known services. While the extensions appear to function as advertised, they contain hidden capabilities designed to exfiltrate sensitive data, execute arbitrary code, and manipulate browser behavior. They enable actions such as credential and cookie theft, session hijacking, ad injection, malicious redirects, and phishing through DOM manipulation.
A key enabler of these attacks is the excessive permissions granted via the manifest.json file, which allows the extensions to interact with all sites visited in the browser. They also use techniques like triggering code execution via the “onreset” event handler on temporary DOM elements, potentially bypassing content security policy restrictions. The extensions establish WebSocket connections to function as proxies, further facilitating malicious traffic routing and external script execution.
Though the exact redirection methods to these fake sites remain unclear, DomainTools suggests common tactics like phishing and social media-based promotion, including Facebook ads and groups. The extensions are deceptively presented on the Chrome Web Store, making them discoverable through standard web and in-store searches. Many of the lure websites contained Facebook tracking IDs, reinforcing suspicions of Meta platform abuse in the delivery chain.
Security Officer Comments:
To date, over 100 fraudulent websites and Chrome extensions have been associated with the campaign, which remains unattributed. Google has removed the identified malicious extensions, but the campaign’s scope highlights ongoing threats within browser ecosystems. DomainTools also uncovered evidence of manipulation in the Chrome Web Store’s review system, where low-rating users were redirected to private feedback pages while high-rating users were funneled to the official review site, indicating deliberate efforts to skew public perception and conceal malicious intent.
Suggested Corrections:
All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions. Keep your browser and antivirus software updated, and regularly review your installed extensions, removing any you don’t need or find suspicious. Vigilance is key to avoiding these threats.
Link(s):
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html