Security Alert: Malicious Chrome Extensions Hijack User Accounts

Cybersecurity experts have issued a warning to Google Chrome users about a new and creative method of attacking people. Experts say that there is a collection of malicious Chrome browser extensions that have disguised themselves as useful productivity tools in order to steal people’s information from popular business and HR sites.

New Chrome Scam Via Browser Extension Hijacks Accounts

Experts from Socket, the company that first discovered this malicious campaign, say the extensions disguise themselves as legitimate software for widely used platforms (like Workday, NetSuite, and SAP SuccessFactors) and trick professionals into installing them without realizing they are malicious.

The security team noted that the extensions posed as productivity tools, promising faster access to workplace portals or enhanced security for workplace data. However, after the installation, the extensions work behind the scenes to steal user data and also prevent the user from using his or her own security controls.

A Google representative confirmed to researchers that they removed the identified extensions from the Official Chrome Web Store but cautioned that copies may still exist on third-party download sites.

This type of attack is clearly malicious through its impact, but it has gone beyond just password theft with this attack, and therein lies the reason for the escalation in severity. Session cookies are the means by which cybercriminals can bypass all of the handshake requirements (such as password and two-factor authentication), just by stealing these session cookies.

This method of cookie theft to circumvent security measures is a major, recognized threat, as highlighted by a recent FBI warning to Gmail users about attacks specifically designed to steal cookies and bypass two-factor authentication.

Some of these extensions were intentionally designed to block users from accessing their account security pages, preventing them from resetting their passwords while cybercriminals control their accounts.

How Silent Hijacking Works

This type of scam succeeds because it uses sophisticated techniques and delays the account takeover long after users install the extension. The extensions have no signs of crashing, failures, etc., and use a methodical approach to completely take over an account. The processes include:

• Professional deception: Many of the extensions have clean and professional-looking names and dashboards, along with business-like descriptions. They also typically have terms and conditions that include the false statement, “No personal data collected,” which would make the extension appear as a credible product for someone who is performing daily tasks to keep their business running.
• Silent data collection occurs when the extensions access and steal session cookies after installation.
• According to CISA, by stealing session cookies, cybercriminals can impersonate the user, with the cookie being the only item required to log in, thus eliminating any need to know the password.
• Restricting the victim’s access to their accounts: The ability to restrict users from accessing their security settings is one of the many functionalities provided by certain types of malicious software. Due to this functionality, users are unable to modify their passwords, review their login history, or turn off two-factor authentication.

While some malicious software will allow attackers to move a stolen session to another user’s session, others enable them to steal a user’s session by hijacking their browser. Even more are capable of stealing cookies from a user’s session so they can use them to impersonate the user and gain access to that user’s sessions.

Cybersecurity professionals call this an ‘account takeover. The legitimate user is not able to log in, whereas the cybercriminal has unlimited access to potentially sensitive corporate data, personal employee data, and financial data.

Stolen credentials and access obtained through such takeovers are frequently funneled into larger criminal schemes, such as the high-value bank account hijacking operation recently disrupted by the FBI, which led to the seizure of a key dark web domain.

Quick Actions to Inspect and Secure Your Browser

As a user of Google Chrome for both work and personal web browsing, take a moment to ensure that your browser is safe by performing an audit of the following:

• Check extensions: Users should click on chrome://extensions/ and review all installed extensions. Users should be careful and be highly suspicious of any tools that claim to provide “access”, “enhancement,” or “security” for applications such as Workday, SAP, or Oracle. Legitimate businesses seldom require a browser extension to provide access to their core applications.
• Uninstall suspicious extensions: If you find an unfamiliar extension with a name that sounds generic and has a generic business function, uninstall it immediately. Do not disable it; click “Remove.”
• Secure your accounts: After removing malicious software, you must change all the passwords for sites you had accessed from your original account. Change your passwords while you are using an uninfected computer or using a different browser other than the malicious software browser. A password manager can help you to generate unique and strong passwords for each site, as your first line of defense against any further account breaches, since attackers are very likely to use the same password or similar passwords from already compromised accounts to access new accounts.
• Audit your account activity: Log into your most sensitive accounts (e.g., Email, Human Resources Portal, Banking, etc.), and look at the login history and/or currently active sessions for any unknown I.P. addresses or devices that you do not recognize.

Making safety a lifestyle means moving beyond one-off fixes and creating a habit of smart security practices. Cultivating these basic security practices will drastically decrease your risk.

The major takeaway here is that convenience sometimes becomes the enemy of good security. The faster you log in each morning, the more these tools promising ease can tempt you—exactly what criminals aim to exploit.

Caution is the best way to go: Use a secure browser, strong, unique passwords protected by a password manager, and consistently ask yourself whether something advertised as helpful really is.