Unknown actor threatened was associated with the creation Several malicious Chrome browser extensions Since February 2024, this masquerade as a seemingly benign utilities, but contain secret functionality for data exports, receiving teams and arbitrary code.
“The actor creates web -residues that are masked as legitimate services, productivity tools, assistants or media analysis, VPN, Crypto, Banking and more to direct users to install appropriate malicious extensions in the Chrome Google (CWS),” The Domain (DTI). – Note In a report that shared with Hacker News.
While the browser supplements offer advertising functions, they also allow the accounts and thefts of the cookies, the abduction of sessions, the injection of advertising, angry redirecting, traffic manipulation and phishing through Dom manipulation.
Another factor that works for the benefit of the extensions is that they are configured to give themselves excessive permits through the Manifest.json file, allowing them to interact with each site visited in the browser, perform an arbitrary code obtained from the attacker, performs harmful redemptions.
It has been found that the extensions are calculated on “Onres“Event -channel processor Document Object (DOM) to fulfill the code is likely to bypass the content security policy (CSP).
Some of the found bait sites are advocating legal products and services such as Deepseek, Manus, Debank, FortivPn and sites statistics to attract users to download and extension installation. Then the additions begin to harvest the browser cookies, get arbitrary scripts from the remote server and install the WebSocket connection to act as a network proxy for routing traffic.
Currently, there is no visibility in how the victims are redirected to fake sites, but Domaintools told publications that it may include ordinary methods such as phishing and social media.
“Because they appear in both Chrome Web Shop and have adjacent web -styas, they can return from the results of ordinary internet searches and search in the Chrome store,” the company said. “Many bait sites have used Facebook tracking IDs, which strongly suggests that they use Facebook / meta -application somehow to attract site visitors. Perhaps through Facebook pages, groups and even advertising.”
While writing, it is unknown who is behind the company, although the actors threatened more than 100 fake sites and malicious chrome extensions. Google, for its part, removed the extensions.
To mitigate the risks, users are advised to follow the proven developers before loading the extensions, review the requested permits, study reviews and refrain from using Lookalike extensions.
Considering this, it should also be borne in mind that ratings can be manipulated and artificially inflated by filtering negative users feedback.
In an analysis published at the end of last month, Domaintools, find The Deepseek extension certificate, which redirected users providing low rating (1-3 stars) to a private feedback form on the AI-Chat-Bot domain (.) Pro, simultaneously sending these high ratings (4-5 stars) to the official page of the Chrome Web Store.
