Cybersecurity researchers have identified five malicious Google Chrome extensions designed to steal user credentials and hijack accounts. These extensions masquerade as legitimate HR and ERP platforms like Workday and NetSuite, aiming to compromise sensitive business data. The sophisticated operation involves stealing authentication tokens, blocking security measures, and enabling complete account takeover.

Key Takeaways

• Five malicious Chrome extensions have been discovered.

• They impersonate popular HR and ERP platforms like Workday and NetSuite.

• The extensions steal authentication tokens and hijack user sessions.

• They also block administrative access to security features.

• Most of the extensions have been removed from the Chrome Web Store but may still be found on third-party sites.

How the Attack Works

The discovered extensions, including "DataByCloud Access," "Tool Access 11," "DataByCloud 1," "DataByCloud 2," and "Software Access," are advertised as productivity tools offering access to premium features for various platforms. However, their true purpose is to exfiltrate cookies to attacker-controlled servers. They achieve this by requesting extensive permissions, including access to cookies and storage across sensitive domains like Workday and NetSuite.

Once installed, these extensions can steal authentication cookies and transmit them to remote servers. Some variants are capable of blocking access to critical administrative pages within platforms like Workday. This is done by manipulating the Document Object Model (DOM) to either erase page content or redirect users to malformed URLs, effectively preventing security teams from responding to incidents.

Sophisticated Evasion and Blocking Tactics

Certain extensions employ advanced techniques to evade detection and enhance their malicious capabilities. For instance, "DataByCloud 2" expands the blocking functionality to a larger number of administrative pages, including those related to password changes, account deactivation, and security audit logs. It targets both production environments and sandbox testing environments.

"DataByCloud 1" not only steals cookies but also incorporates features to prevent code inspection using browser developer tools, making it harder for researchers to analyze its behavior. The "Software Access" extension is considered the most advanced, combining cookie theft with the ability to receive stolen cookies from a command-and-control server and inject them directly into the browser to facilitate session hijacking. It also includes protection for password input fields.

Coordinated Operation and Detection

Despite appearing under different publisher names, the campaign is believed to be a coordinated effort due to identical functionality and infrastructure patterns. A notable commonality among all five extensions is an identical list of 23 other security-related Chrome extensions. This suggests an attempt by the attackers to monitor for any tools that might interfere with their operations or reveal their malicious activities.

Users who may have installed any of these extensions are strongly advised to remove them immediately, reset their passwords for affected accounts, and review their activity logs for any signs of unauthorized access. The combination of credential theft and the inability to access administrative controls through normal channels poses a significant risk to organizations.

Sources

• Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts, The Hacker News.