Five new malicious Google Chrome extensions that have surfaced—disguised as popular human resources and enterprise resource planning platforms—rely on this tactic. This outcome is no small feat. A coordinated campaign has singled out these extensions. Their endgame is to hijack user accounts by abusing security flaws in widely-used apps such as Workday and NetSuite. The extensions were smart enough to replicate the aesthetics of tools people would trust. They employ sophisticated counter-detection tactics to maintain long-term access to hijacked accounts.
How can people track such a massive campaign? Researchers initially discovered the campaign after recognizing a pattern. All five extensions provided an extensive list of 23 security-related Chrome extensions. Other high-profile examples include EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox. These popular tools, extensively documented by security researchers, are used by the malicious extensions to monitor user actions. They tip off the threat actors to their presence, improving their operation.
Overview of the Malicious Extensions
All five of these extensions, except for Software Access, have already been cleared from the Chrome Web Store. They continue to pose a threat through third-party-download sites, where they can still be downloaded, so there remains a risk to users. Originally published on August 18, 2021 DataByCloud 1 & DataByCloud 2. Since then, they have changed and become more sophisticated, incorporating deadly advanced features that enhance their malicious destructive power.
Data By Cloud 2, in particular, has stretched its blocking feature to include 56 pages within the targeted applications. This extension adds some simple but critical functions to help keep your data safe. It provides the means to update passwords, deactivate accounts, manage two-factor authentication devices, and view security audit logs. The endgame is to trap consumers in a maze of lies. This provides an opportunity for attackers to maintain persistent control of victim accounts.
According to cybersecurity expert Kush Pandya, “The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking.”
Techniques Employed by the Attackers
The trojanized extensions employ several methods to exfiltrate user data. They grab authentication cookies for predefined domains and send them to a hardcoded remote server at “api.databycloud[.]com” every minute. They profoundly abuse the Document Object Model (DOM) tree of web applications. This cuts off access to important security management dashboards.
This action alone adds yet another layer of challenge and risk for security teams using security tools to try and identify and remediate unauthorized access. As cybersecurity analyst Socket explains, “The combination of continuous credential theft, administrative interface blocking, and session hijacking creates a scenario where security teams can detect unauthorized access but cannot remediate through normal channels.”
Both of these extensions will encrypt their command-and-control (C2) traffic. With this encryption, it creates a challenge for security solutions to adequately monitor or interrupt their activities.
Implications for Users and Security Teams
Malicious Chrome extensions are a real threat to user safety. They’re not alone; organizations that depend on platforms such as Workday and NetSuite are equally at risk. The cost of risk through account takeover The risk of account takeover brings with it serious consequences, including unauthorized access to sensitive information, financial records, and personal records. These sophisticated threats are proof that organizations need to stay on their toes and double down on cyber defenses.
Experts urge consumers to constantly monitor the extensions in their web browsers. They should be willing to scratch a few that give off alarm bells or just seem extraneous. To this end, security teams should deploy strong monitoring solutions that can spot anomalous behaviors tied to these types of exploits.