Summary

  • 35 Chrome extensions were compromised due to developer phishing.
  • Scammers used fake Google login pages to steal credentials.
  • The now-malicious extensions stole Facebook login details with ease.

Chrome extensions are never completely safe, even if the developer would never dream of infecting their user base with malware. Unfortunately, it's these kinds of loyal developers that bad agents love to target; if a scammer manages to trick them into handing over their login details, they can use their established foundation of trust against them. Such is the case of 35 Chrome extensions, which were caught performing malicious activities after their developers were phished.

👁 The Lenovo Chromebook Duet 11 on top of its keyboard.
Lenovo Chromebook Duet 11 review: quirky, creative, and AI driven

The Lenovo Chromebook Duet 11 gets the first taste of Google's latest AI-charged features, but is it worth it?

35 Chrome extensions have turned bad - do you use any of them?

As announced by ExtensionTotal, things began going south when the Cyberhaven extension began infecting users with malware around Christmas Eve. After an investigation, it was discovered that a bad agent managed to get in after stealing developer login credentials using a phishing attack. Since then, ExtensionTotal has unearthed more extensions that suffered the same fate.

Here's how the attack worked: the scammer would send an email to the extension developer pretending to be Google. The email claimed that the developer's extension was in violation of Google's rules and ran the risk of removal. To prevent this from happening, the recipient had to click on a "Go To Policy" page that the email claimed would let them know how to fix it.

Of course, the "Go To Policy" page was entirely fake. When the developer clicked the button, the fake website showed them a Google account login look-alike page. If the developer entered their credentials, the scammer would gain access to the extension's code and upload a malicious update that stole people's Facebook login details. Worst of all, the scammers managed to sneak by Google's defenses with worrying ease, even if the developer had two-factor authentication enabled for their account.

If you're worried about your security, head over to the ExtensionTotal Cyberhaven Incident live reporting page and check if your installed extensions match any on the list. If you find one, change your Facebook login details ASAP. And while you're at it, be sure to remove these Chrome extensions that won't work soon.