Malicious Chrome Extensions Imitating Fortinet, YouTube, and VPN Services Engage in Data Theft

A recent investigation has unveiled a sophisticated campaign targeting Google Chrome users, employing over 100 malicious browser extensions that masquerade as legitimate tools, including VPNs, AI assistants, and cryptocurrency utilities. These extensions are designed to surreptitiously steal browser cookies and execute remote scripts without user consent.

While the extensions claim to provide various functionalities, they simultaneously connect to the attackers’ infrastructure, extracting sensitive user information and awaiting commands from the threat actors. Moreover, these malicious tools can alter network traffic, enabling the delivery of unauthorized advertisements, redirections, or proxy services.

The campaign was identified by security experts at DomainTools, who discovered an extensive web of over 100 fraudulent domains promoting these deceptive tools to unsuspecting users, likely through malicious advertising practices.

Among the compromised websites listed by DomainTools are numerous counterfeit VPN brands and attempts to impersonate established entities such as Fortinet, YouTube, DeepSeek AI, and Calendly. Notable examples include:

– earthvpn[.]top
– irontunnel[.]world and iron-tunnel[.]com
– raccoon-vpn[.]world
– forti-vpn[.]com and fortivnp[.]com
– deepseek-ai[.]link

These sites feature “Add to Chrome” buttons linking to the malicious extensions on the Chrome Web Store, lending an appearance of credibility to these illegitimate offerings.

Despite Google’s removal of a patch of identified malicious extensions, some remain accessible on the Chrome Web Store. Researchers have indicated that the persistence of these threat actors and the timing of detection efforts continue to pose substantial risks to users seeking legitimate productivity or enhancement tools.

Each malicious extension requests concerning permissions that facilitate cookie theft, DOM-based phishing, and dynamic script injection. For instance, the “fortivpn” extension is particularly concerning, capable of stealing cookies, acting as a proxy server, and modifying network traffic to execute arbitrary JavaScript from remote servers.

The operation works as follows: the extension utilizes chrome.cookies.getAll({}) to collect all browser cookies, which are then compressed and encoded before being transmitted to a specific backend server. It can also be instructed to create a WebSocket connection, functioning as a network proxy that reroutes user traffic through nefarious servers, with proxy targets and authentication handled by external commands.

Users who install these malicious extensions face significant threats, including account hijacking, personal data theft, and monitoring of their browsing activities. This access allows attackers to maintain a backdoor in the infected browser, significantly enhancing their exploitation potential. Furthermore, stolen session cookies could enable cybercriminals to compromise legitimate VPN devices or accounts, granting them unauthorized access to corporate networks and leading to potentially devastating breaches.

To mitigate these risks, users are advised to only install extensions from reputable publishers with a verified track record and to scrutinize user reviews for any potential warning signs.

As this situation evolves, inquiries have been made to Google regarding their ongoing detection efforts concerning this campaign, but further information remains pending.