Attacks may have been conducted since March 2024.
At least 35 Google Chrome extensions have been compromised with data-exfiltrating code as part of a phishing campaign.
Whilst it was disclosed by Cyberhaven that a malicious extension was pushed live for around a day, the attacks may have commenced in March 2024 according to the discovery of command-and-control subdomains discovered by BleepingComputer.
Further examination of the attack campaign revealed the primary targeting of extension users' Facebook accounts, with the injected code seeking compromise of Facebook IDs, account info and tokens, and business accounts, while evading the social media platform's two-factor authentication defences.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
