After phishing attack: Malicious extensions smuggled into Chrome Web Store
Over the Christmas period, the perpetrators gained access to various Chrome extensions – in some cases even much earlier.
(Image: Wachiwit/Shutterstock.com)
Numerous developers of extensions for the Google Chrome browser fell victim to a phishing attack over Christmas – with drastic consequences: Unknowingly, they granted the perpetrators access to the source code of their applications stored in the Chrome Web Store. The cybercriminals used this to upload new, malicious versions of the Chrome extensions. This provided them with access to sensitive user data on around 2.6 million devices.
According to an analysis by IT security consultancy Annex, at least 29 Chrome extensions are affected. The tech news site Ars Technica even speaks of 33 affected extensions. However, it is entirely possible that these figures (as of January 3, 2025) could be revised upwards again – given the scale and duration of the phishing campaign behind it. When security experts got to the bottom of a successful phishing attack on a developer of the "Cyberhaven" extension, numerous other compromises of Chrome extensions also came to light, according to ArsTechnica and Annex.
Apparently targeting login data
According to Cyberhaven, the attackers attempted to steal login data for social media accounts and AI applications. According to the IT security consultancy Annex, the Cyberhaven version of the attackers is said to have targeted login data for ChatGPT, but apparently without success. Cyberhaven urgently advises users to change the passwords of all Facebook accounts used on affected devices. Users should also check whether the malicious version is still in use and update it if necessary.
In the case of Cyberhaven, an employee fell for a fake email in which the attackers pretended to be a Google representative. As a result, he unwittingly enabled the perpetrators to upload a new, malicious version of the Cyberhaven extension to the Chrome Web Store. The Cyberhaven extension is designed to protect users from unintentionally disclosing sensitive data in emails or on websites.
Malicious version downloaded automatically
The malicious version is Cyberhaven version 24.10.4, which, according to a blog post by Cyberhaven, was available in the Chrome Web Store from December 25 at 1:32 am to December 26 at 2:50 am. Anyone who executed the extension via their Chrome browser during this time window also automatically downloaded the malicious version. After the incident became known, the Cyberhaven team reacted and released version 24.10.5, followed soon after by version 24.10.6.
Unfortunately, Cyberhaven was only a small part of a large-scale phishing attack on Chrome extension developers dating back to at least April 2023. A closer investigation by Annex revealed a connection to at least 28 other Chrome extensions of which malicious versions were or are still in circulation at times, and also provides an overview. Some affected malicious extensions have been updated to safe versions or completely removed from the Chrome Web Store, but some are still in circulation in their malicious version.
Videos by heise
Users of the affected extensions should now urgently check whether they are using the malicious version and, if necessary, update to a harmless, current version or remove the extensions completely. It is also strongly recommended that any affected passwords or other access data be changed.
(nen)
