Hackers were reportedly able to modify several Chrome extensions with malicious code this month after gaining access to administrator accounts through a phishing campaign. The cybersecurity company Cyberhaven shared in a this weekend that its Chrome extension was compromised on December 24 in an attack that appeared to be “targeting advertising logins on specific social networks and artificial intelligence platforms.” Some other extensions were also affected, dating back to mid-December, <a target="_blank" data-i13n="elm:context_link;elmt:doNotAffiliate;cpos:2;pos:1" class="link " href="https://www.reuters.com/technology/cybersecurity/data-loss-prevention-company-cyberhaven-hit-by-breach-statement-says-2024-12-27/” rel=”nofollow noopener” target=”_blank” data-ylk=”slk:Reuters;elm:context_link;elmt:doNotAffiliate;cpos:2;pos:1;itc:0;sec:content-canvas”> reported. According to Nudge Security <a target="_blank" data-i13n="elm:context_link;elmt:doNotAffiliate;cpos:3;pos:1" class="link " href="https://x.com/jaimeblascob/status/1872445912175534278″ rel=”nofollow noopener” target=”_blank” data-ylk=”slk:Jaime Blasco;elm:context_link;elmt:doNotAffiliate;cpos:3;pos:1;itc:0;sec:content-canvas”>which includes ParrotTalks, Uvoice and VPNCity.
Cyberhaven notified its customers on December 26 in an email seen by which recommended that they revoke and rotate their passwords and other credentials. The company's initial investigation into the incident found that the malicious extension targeted facebook ad users, with the goal of stealing data such as access tokens, user IDs, and other account information, along with cookies. The code also added a mouse click listener. “After successfully sending all data to the (Command and Control) server, the facebook user ID is saved in the browser's storage,” Cyberhaven said in its analysis. “That user ID is then used in mouse click events to help attackers with 2FA on their side if needed.”
Cyberhaven said it first detected the breach on December 25 and was able to remove the malicious version of the extension within an hour. He has since released a clean version.
