Ethical Hacking News
Over 100 fake Chrome extensions have been found to hijack sessions, steal credentials, and inject ads on unsuspecting users' devices. Experts warn that users must remain vigilant and take precautions to protect themselves against such threats.
Over 100 fake Chrome extensions have been found to hijack sessions, steal credentials, and inject ads on unsuspecting users' devices.The malicious extensions were discovered in February 2024 and masquerade as legitimate utilities with innocuous-sounding names.The extensions contain covert functionality that enables the exfiltration of sensitive data and grant themselves excessive permissions via manifest.json file.The malware campaign uses social engineering tactics to trick users into installing them, creating fake websites that impersonate legitimate services.The extensions bypass content security policy (CSP) restrictions, allowing them to inject malicious scripts into web pages.Google has removed the extensions from the Chrome Web Store, but experts warn users to remain vigilant and take precautions to protect themselves.
The browser security landscape has been dealt a severe blow as a massive malware campaign was recently uncovered. According to recent reports from the renowned cybersecurity news platform, The Hacker News (THN), over 100 fake Chrome extensions have been found to be hijacking sessions, stealing credentials, and injecting ads on unsuspecting users' devices.
The malicious extensions, which were discovered in February 2024, masquerade as legitimate utilities with innocuous-sounding names like "DeepSeek" and "FortiVPN." These deceptively named extensions are designed to entice users into installing them by impersonating popular products and services. However, once installed, these extensions reveal their true malicious nature.
The THN report revealed that the extensions were created using sophisticated techniques to evade detection by security software. They contain covert functionality that enables the exfiltration of sensitive data, such as browser cookies and login credentials. Furthermore, they are configured to grant themselves excessive permissions via the manifest.json file, allowing them to interact with every site visited on the browser.
The malicious extensions also rely on social engineering tactics to trick users into installing them. They create fake websites that impersonate legitimate services, productivity tools, or ad and media creation assistants, which direct users to install corresponding malicious extensions on Google's Chrome Web Store (CWS).
One of the most concerning aspects of this malware campaign is its ability to bypass content security policy (CSP) restrictions. The extensions use the "onreset" event handler on a temporary document object model (DOM) element to execute code, which allows them to evade content filtering and inject malicious scripts into web pages.
The THN report also noted that some of the identified lure websites impersonate legitimate products and services like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats. These sites use Facebook tracking IDs to attract users, suggesting that social media platforms may be involved in this malware campaign.
Google has taken steps to mitigate the risks associated with these malicious extensions by removing them from the Chrome Web Store. However, experts warn that users must remain vigilant and take precautions to protect themselves against such threats.
To avoid falling victim to this malware campaign, users are advised to stick with verified developers before downloading extensions, review requested permissions, scrutinize reviews, and refrain from using lookalike extensions. Furthermore, users should be cautious when clicking on links or visiting websites that seem suspicious or phishing-like.
The discovery of these 100+ fake Chrome extensions serves as a stark reminder of the ongoing threat landscape in the world of cybersecurity. It highlights the importance of staying informed, vigilant, and proactive in protecting ourselves against emerging threats.
As cybersecurity experts continue to monitor the situation, it remains to be seen how this malware campaign will evolve or if new variants will emerge. However, one thing is certain: users must remain vigilant and take necessary precautions to safeguard their online security.
Over 100 fake Chrome extensions have been found to hijack sessions, steal credentials, and inject ads on unsuspecting users' devices. Experts warn that users must remain vigilant and take precautions to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Massive-Malware-Campaign-100-Fake-Chrome-Extensions-Hijack-Sessions-Steal-Credentials-ehn.shtml
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
https://cloudindustryreview.com/over-100-malicious-chrome-extensions-discovered-session-hijacking-credential-theft-and-ad-injection/
Published: Tue May 20 11:47:25 2025 by llama3.2 3B Q4_K_M
