Exposing Over 100 Malicious Chrome Extensions Engaged in Session Hijacking, Credential Theft, and Ad Injection

An unidentified threat actor has been implicated in the development of various malicious Chrome Browser extensions since February 2024. These extensions, which masquerade as benign utilities, are designed to exfiltrate data, receive commands, and execute arbitrary code.

The actor employs deceptive tactics by creating websites that appear to represent legitimate services, productivity tools, or tools for ad and media creation. Users are led to install these malicious extensions through the Google Chrome Web Store. The extensions, while seemingly providing advertised functionalities, enable a range of malicious activities including credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing through Document Object Model (DOM) manipulation.

A notable feature of these extensions is their excessive permissions, granted via the manifest.json file. This grants them the ability to interact with any site visited within the browser, execute arbitrary code from attacker-controlled domains, perform malicious redirects, and inject ads.

Further examination has revealed that these extensions utilize the “onreset” event handler on a temporary DOM element to execute malicious code, indicating attempts to circumvent content security policies (CSPs). Several lure websites have been identified, impersonating legitimate products and services such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats, used to entice users into downloading and installing the malicious extensions. Once activated, these extensions harvest browser cookies, load arbitrary scripts from remote servers, and establish WebSocket connections to route traffic.

Although the specifics of how victims are redirected to these fraudulent websites remain unclear, it has been suggested that phishing and social media methods may play a role. The malicious extensions’ presence in both the Chrome Web Store and continuous adjacency to legitimate website results increases their visibility in regular web searches. Tracking methodologies, such as employing Facebook tracking IDs, indicate possible use of Facebook/Meta platforms to drive visitor traffic through pages, groups, and advertisements.

As of now, the identity of the actors behind this campaign remains unknown. However, they have established over 100 fraudulent websites and related malicious Chrome extensions, which Google has taken down.

To mitigate associated risks, users are advised to exclusively download extensions from verified developers, thoroughly review requested permissions, examine user reviews, and avoid extensions that closely resemble legitimate ones. It is important to note that ratings and reviews may be subject to manipulation, and negative feedback can be suppressed.

In a recent analysis, evidence was found of extensions impersonating DeepSeek that redirected users who provided low ratings (from one to three stars) to a private feedback form, while those giving high ratings (four to five stars) were directed to the official Chrome Web Store review page. This manipulation highlights the need for critical scrutiny when evaluating browser extensions.