Hackers were reportedly able to modify several Chrome extensions with malicious code this month after gaining access to administrator accounts through a phishing campaign. Cybersecurity company Cyberhaven said in a statement announced this weekend that its Chrome extension was compromised on December 24 in an attack that appeared to “target logins to specific social media advertising and AI platforms.” Some other extensions were also affected, dating back to mid-December. reported. According to Nudge Security these include ParrotTalks, Uvoice and VPNCity.
Cyberhaven notified its customers on December 26 in an email viewed by which advised them to revoke and change their passwords and other credentials. The company’s initial investigation into the incident revealed that the malicious extension targeted Facebook advertising users with the aim of stealing data such as access tokens, user IDs and other account information, as well as cookies. The code also added a mouse click listener. “After all data is successfully sent to the (Command & Control) server, the Facebook user ID is stored in the browser storage,” Cyberhaven said in its analysis. “This user ID is then used in mouse click events to help attackers with 2FA on their end if necessary.”
Cyberhaven said it first discovered the breach on December 25 and was able to remove the malicious version of the extension within an hour. A clean version has since been released.
