186/68 Thursday, May 22, 2025
Researchers from DomainTools Intelligence (DTI) have uncovered a large-scale cyber campaign in which over 100 fake Google Chrome extensions were created and distributed since February 2024. These malicious extensions were disguised as legitimate tools for productivity, VPNs, cryptocurrency, finance, and other services. They were promoted via phishing websites that closely mimicked real brands such as DeepSeek, FortiVPN, and DeBank, tricking users into installing extensions laced with dangerous functionality such as:
- Password and cookie theft
- Session hijacking
- Malicious website redirection
- Ad injection
- Phishing
Although these extensions appeared to operate normally, they were configured with excessive permissions in the manifest.json file, granting access to all web pages and allowing remote code execution from attacker-controlled servers.
The extensions also employed advanced techniques to bypass Content Security Policy (CSP) by injecting malicious code through temporary DOM event handlers such as onreset. They established WebSocket connections, turning the victim’s browser into a proxy for exfiltrating stolen data. Some attacker websites even embedded Facebook Pixel IDs, suggesting they may have used Meta platforms—including Facebook Pages, groups, or ads—to promote the fake extensions.
Google has since started removing these malicious extensions from the Chrome Web Store.
Recommendations for Chrome users:
- Install extensions only from verified developers
- Review the permissions requested before installing any extension
- Read reviews carefully, keeping in mind that some may be fake or manipulated
- Avoid extensions with suspicious names or typos that imitate legitimate ones
Source https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
