Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday January 07, @09:26PM   Printer-friendly

Arthur T Knackerbracket has processed the following story:

Hackers were reportedly able to modify several Chrome extensions with malicious code this month after gaining access to admin accounts through a phishing campaign. The cybersecurity company Cyberhaven shared in a blog post this weekend that its Chrome extension was compromised on December 24 in an attack that appeared to be “targeting logins to specific social media advertising and AI platforms.” A few other extensions were hit as well, going back to mid-December, Reuters reported. According to Nudge Security’s Jaime Blasco, that includes ParrotTalks, Uvoice and VPNCity.

Cyberhaven notified its customers on December 26 in an email seen by TechCrunch, which advised them to revoke and rotate their passwords and other credentials. The company’s initial investigation of the incident found that the malicious extension targeted Facebook Ads users, with a goal of stealing data such as access tokens, user IDs and other account information, along with cookies. The code also added a mouse click listener. “After successfully sending all the data to the [Command & Control] server, the Facebook user ID is saved to browser storage,” Cyberhaven said in its analysis. “That user ID is then used in mouse click events to help attackers with 2FA on their side if that was needed.”

Cyberhaven said it first detected the breach on December 25 and was able to remove the malicious version of the extension within an hour. It’s since pushed out a clean version.

From https://www.techspot.com/news/106205-widespread-cyberattack-targets-google-chrome-extensions-compromises-26.html

Cyberhaven breach reported. Employee phished and pushed malicious chrome extension.
 
  Command and Control:
  149.28.124.84
  cyberhavenext[.]pro
 
  File Hashes:
  content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FB
 
  worker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60

– Christopher Stanley (@cstanley)

[...] Here's a compilation of known extensions to have been compromised (thanks Ars Technica), with further updates available here. If you used any of these, you should update passwords and other login credentials:

Further investigation revealed an even more alarming trend. One of the compromised extensions, Reader Mode, had been part of a separate campaign dating back to at least April 2023. This earlier compromise was linked to a monetization code library that collected detailed data on every web visit a browser makes. Tuckner identified 13 Chrome extensions, with a combined 1.14 million installations, that had used this library to collect potentially sensitive data.


Original Submission

This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Tuesday January 07, @10:08PM

    by Anonymous Coward on Tuesday January 07, @10:08PM (#1387843)

    Who would have thought.

  • (Score: 4, Funny) by Rosco P. Coltrane on Tuesday January 07, @11:37PM

    by Rosco P. Coltrane (4757) on Tuesday January 07, @11:37PM (#1387848)

    It was all about security and it totally panned out.
    Thanks Google!

  • (Score: 2, Touché) by anubi on Tuesday January 07, @11:47PM

    by anubi (2828) on Tuesday January 07, @11:47PM (#1387849) Journal

    Can we bring it back to permit modifying executables?

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2) by GloomMower on Wednesday January 08, @02:15AM

    by GloomMower (17961) on Wednesday January 08, @02:15AM (#1387862)

    I had Proxy SwitchyOmega installed on one of my profiles, but google listed it as not being compatible because of manifest v2. Wonder if it ever updated to the compromised one. It was deactivated and a non compromised version number, so maybe it never updated to that version?

(1)