100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads
100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads
100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads
Information
Chrome extensions are lightweight software modules that can be installed within the Google Chrome web browser to extend its capabilities and enhance user productivity. These extensions provide additional functionalities that streamline various online tasks, such as ad blocking, language translation, screen capturing, and secure browsing via VPNs. By integrating seamlessly with the browser interface, Chrome extensions allow users to customize their web experience according to specific needs and preferences.
Incident
Researchers from DomainTools Intelligence (DTI) have uncovered a massive attack campaign in which attackers created over 100 fake Google Chrome extensions since February 2024, disguising themselves as productivity tools, VPNs, crypto, finance, and other services through fake websites that mimic legitimate brands such as DeepSeek, FortiVPN, and DeBank. The fakes trick users into installing the extensions that embed malicious functionality such as stealing passwords, cookies, session hijacking, malicious redirects, ad injection, and phishing. While these extensions appear to be providing legitimate services, they are actually setting excessive permissions in the manifest.json file to allow them to access any website and execute malicious code from a server controlled by the attackers.
These extensions were found to be using Content Security Policy (CSP) bypass techniques by embedding code via an “onreset” event handler in the temporary DOM and setting up a WebSocket connection to turn the browser into a proxy for sending data back to the campaign controller. Some websites also embedded Facebook Pixel IDs, indicating that the attackers may have used Meta channels such as Facebook Pages, Groups, or ads to promote these extensions. Google has already started removing malicious extensions from the Chrome Web Store.
Recommendation
- Install extensions only from verified developers.
- Check the permissions the extension requests before installing.
- Read reviews carefully. Even some reviews may have been manipulated or falsified.
- Avoid extensions that have a similar real name or look suspicious.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References
- https://www.thaicert.or.th/2025/05/22/%e0%b8%9e%e0%b8%9a%e0%b8%aa%e0%b9%88%e0%b8%a7%e0%b8%99%e0%b8%82%e0%b8%a2%e0%b8%b2%e0%b8%a2-chrome-%e0%b8%9b%e0%b8%a5%e0%b8%ad%e0%b8%a1%e0%b8%81%e0%b8%a7%e0%b9%88%e0%b8%b2-100-%e0%b8%a3%e0%b8%b2/
- https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html?m=1
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-32002 |
15/5/2025 |
15/5/2025 |
eMagicOne Store Manager for WooCommerce |
Arbitrary File Deletion |
9.1 |
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials. |
Updated to version 1.2.6 |
https://www.cvedetails.com/cve/CVE-2025-4603/ |
| 2 |
CVE-2025-23395 |
26/5/2025 |
26/5/2025 |
GNU Screen |
Local Privilege Escalation |
7.8 |
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root` ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges |
Updated to version 5.0.1 |
https://app.opencve.io/cve/CVE-2025-23395 |
| 3 |
CVE-2025-2382 |
17/3/2025 |
26/5/2025 |
GNU C Library (glibc) |
Out-of-bounds Read |
7.3 |
A vulnerability classified as critical was found in PHPGurukul Online Banquet Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
Updated to version 2.40 |
https://app.opencve.io/cve/CVE-2025-2382
|
| 4 |
CVE-2025-32706 |
13/5/2025 |
16/5/2025 |
Windows Common Log File System Driver |
Improper input validation |
7.8 |
Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. |
Update latest version |
|
| 5 |
CVE-2025-47733 |
8/5/2025 |
21/5/2025 |
Microsoft Power Apps |
Server-Side Request Forgery (SSRF) |
9.1 |
Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network |
The service provider has implemented a fix. |
https://nvd.nist.gov/vuln/detail/CVE-2025-47733
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Winos 4.0 |
25/05/2025 |
Social Engineering , Phishing, Trojan Software, Command and Control (C2) Server |
Hackers are disguising themselves as popular apps like LetsVPN and QQ Browser to trick users into unknowingly installing malware on their machines. The malware used is called Winos 4.0, also known as ValleyRAT, and is an advanced Remote Access Trojan (RAT) that can remotely take control of a target computer, steal data, and even open up avenues for other malware to enter. |
|
Ref: https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html
10 June 2025
Viewed 57 time
