Attacks may have been conducted since March 2024.
At least 35 Google Chrome extensions have been compromised with data-exfiltrating code as part of a phishing campaign.
Whilst it was disclosed by Cyberhaven that a malicious extension was pushed live for around a day, the attacks may have commenced in March 2024 according to the discovery of command-and-control subdomains discovered by BleepingComputer.
Further examination of the attack campaign revealed the primary targeting of extension users' Facebook accounts, with the injected code seeking compromise of Facebook IDs, account info and tokens, and business accounts, while evading the social media platform's two-factor authentication defences.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
