BleepingComputer reports that at least 35 Google Chrome extensions leveraged by nearly 2.6 million users have been compromised with data-exfiltrating code as part of a phishing campaign that was initially reported to have impacted an extension developed by cybersecurity firm Cyberhaven.
While Google Groups and LinkedIn reports noted the campaign to have commenced in early December, such an attack may have been tested since March as evidenced by command-and-control subdomains discovered by BleepingComputer. Intrusions involved the utilization of the "supportchromestore.com," "forextensions.com," and "chromeforextension.com" domains to target extension developers with phishing emails falsely claiming policy violations. Clicking the included 'Go To Policy' button redirects targets to a malicious authentication request that would provide threat actors with Chrome Web Store extension permissions. Further examination of the attack campaign revealed the primary targeting of extension users' Facebook accounts, with the injected code seeking compromise of Facebook IDs, account info and tokens, and business accounts, while evading the social media platform's two-factor authentication defenses.
