Hackers were reportedly able to modify several Chrome extensions with malicious code this month, gaining access to administrator accounts through a phishing campaign. Cyber security company Cyberhaven reported in a blog post this weekend that its Chrome extension was compromised on December 24 in an attack that appears to have “targeted logins to certain social media advertising and artificial intelligence platforms.” According to Reuters, several other extensions were hacked in mid-December. According to Nudge Security’s Jaime Blasco, these include ParrotTalks, Uvoice, and VPNCity.
Cyberhaven notified its customers on Dec. 26 in an email seen by TechCrunch and advised them to revoke and change their passwords and other credentials. The company’s initial investigation into the incident revealed that the malicious extension targeted Facebook Ads users to steal data such as access tokens, user IDs, and other account information, as well as cookies. The code also added a mouse click tracker. “After successfully sending all the data to the [Command & Control] server, the Facebook user ID is stored in the browser’s memory,” Cyberhaven’s analysis says. “This user ID is then used in click events to help attackers with 2FA on their side, if necessary.”
Cyberhaven said it first discovered the breach on December 25 and was able to remove the malicious version of the extension within an hour. It has since released a clean version.