A significant and sophisticated campaign involving hundreds of malicious extensions for the Google Chrome browser has been uncovered, resulting in the theft of data from millions of unsuspecting users. According to research by DomainTools Intelligence (DTI), an unidentified group of cybercriminals has orchestrated the creation of over 100 deceptive websites and browser extensions since February 2024. These fake entities were meticulously designed to mimic legitimate and popular online services, including productivity tools, advertising management platforms, VPN providers, cryptocurrency exchanges, and banking applications, all with the insidious goal of tricking users into installing malware.
These malicious extensions, deceptively available on the official Google Chrome Web Store (CWS), often delivered the basic functionality they advertised initially. However, their primary purpose was covertly executed through credential and cookie theft, session hijacking, the injection of unwanted advertisements, malicious redirects to phishing sites, traffic manipulation, and sophisticated phishing attacks leveraging DOM (Document Object Model) manipulation. A key element in the attackers’ success was the granting of overly broad access permissions during the extension installation process, as specified in their manifest.json files. These excessive privileges allowed the extensions to interact with every website visited by the user, execute arbitrary code received from attacker-controlled servers, perform unauthorized redirects, and inject advertisements directly into web pages.
Further technical analysis revealed that the extensions employed the onreset event handler on a temporary DOM element to execute malicious code, a technique likely intended to circumvent browser Content Security Policy (CSP) measures. Prominent legitimate products and services that were impersonated in this campaign include DeepSeek, Manus, DeBank, FortiVPN, and Site Stats. Once a malicious extension was successfully installed, it would immediately begin collecting browser cookies, download and execute arbitrary scripts from a remote command-and-control server, and establish a persistent WebSocket connection, effectively turning the infected browser into a network proxy to route malicious traffic.
While the precise methods used to redirect victims to phishing sites remain under investigation, DTI suggests the likely use of standard social engineering tactics and phishing campaigns distributed across social media platforms. Notably, the presence of Facebook IDs on numerous fake websites strongly indicates the attackers’ potential exploitation of Facebook and Meta* applications to lure unsuspecting visitors. This likely involved the creation of deceptive pages, groups, and targeted advertisements.
Responding to the findings, Google has already taken decisive action by removing the identified malicious extensions from the Chrome Web Store. However, the scale of the campaign underscores the persistent threat posed by seemingly legitimate browser add-ons.
As a crucial preventative measure, users are strongly advised to exercise extreme caution when installing browser extensions. Best practices include only installing extensions from trusted and verified developers, carefully scrutinizing the permissions requested by an extension before granting them, thoroughly reading user reviews (while being aware of potential manipulation), and avoiding any extensions that appear suspicious, even if they mimic well-known services. The DomainTools analysis also uncovered a deceptive tactic used by some extensions, such as those impersonating DeepSeek: users who left low ratings (1-3 stars) were redirected to a private feedback form, effectively preventing negative reviews from appearing publicly, while users leaving high ratings (4-5 stars) were directed to the official Chrome Web Store review page to inflate the extension’s perceived legitimacy.
The investigation into this extensive Chrome hijacking campaign is currently ongoing, and the identity of the individuals or groups responsible for this widespread data theft has yet to be definitively established. This incident serves as a stark reminder of the importance of remaining vigilant and informed about the potential risks associated with browser extensions.